For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️| diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 38b068d300..5fc9b496f6 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -20,31 +20,34 @@ ms.topic: conceptual **Applies to:** -- Windows 10 +- Windows 10 When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] ->If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). +>If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). -## Settings for Office 365 A3 or Office 365 A5 customers +## Settings for Microsoft 365 A3 or Microsoft 365 A5 customers Schools that purchased these products have an extra option for making Minecraft: Education Edition available to their students: -- Office 365 A3 or Office 365 A5 -- Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5 + +- Microsoft 365 A3 or Microsoft 365 A5 - Minecraft: Education Edition -If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Office 365 A3 or Office 365 A5. On your Office 365 A3 or Office 365 A5 details page in **Microsoft Store for Education**, under **Settings & actions**, you can select **Allow access to Minecraft: Education Edition for users of Office 365 A3 or Office 365 A5**. +If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already. -When this setting is selected, students in your tenant can use Minecraft: Education Edition even if they do not have a trial or a direct license assigned to them. +> [!Note] +> If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions. -If you turn off this setting after students have been using Minecraft: Education Edition, they will have 25 more days to use Minecraft: Education Edition before they do not have access. +After selecting the appropriate product license, ensure Minecraft: Education Edition is toggled on or off, depending on if you want to add or remove Minecraft: Education Edition from the user (it will be on by default). -## Add Minecraft to your Microsoft Store for Education +If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access. + +## Add Minecraft to your Microsoft Store for Education You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies). -If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume licenses for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). +If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). ### Minecraft: Education Edition - direct purchase @@ -73,6 +76,7 @@ Now that the app is in your Microsoft Store for Education inventory, you can cho If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-additional-licenses). ### Minecraft: Education Edition - volume licensing + Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: - Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. @@ -80,13 +84,17 @@ Qualified education institutions can purchase Minecraft: Education Edition licen - Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) ## Minecraft: Education Edition payment options + You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice. ### Debit or credit cards + During the purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card. ### Invoices + Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements: + - Admins only (not supported for Teachers) - $500 invoice minimum for your initial purchase - $15,000 invoice maximum (for all invoices within your organization) @@ -109,6 +117,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine > After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Apps & software**. **To view your invoice** + 1. In Microsoft Store for Education, click **Manage** and then click **Apps & software**. 2. Click **Minecraft: Education Edition** in the list of apps. 3. On **Minecraft: Education Edition**, click **View Bills**. @@ -117,7 +126,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf. -  +  The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. @@ -151,21 +160,21 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Click Manage. - + You'll see Minecraft: Education Edition product page. - +  - + -Or- - -  - -3. Slide the **Auto assign subscription** or click **Turn off auto assign subscription**. + +  +3. Slide the **Auto assign subscription** or click **Turn off auto assign subscription**. ### Install for me -You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app. -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). +You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app. + +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. @@ -173,20 +182,19 @@ You can install the app on your PC. This gives you a chance to test the app and 3. Click **Install**. ### Assign to others -Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app. +Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app. **To assign to others** -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). + +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**.  -3. Click **Invite people**. - +3. Click **Invite people**. 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student. - + You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.  **To finish Minecraft install (for students)** @@ -222,14 +230,15 @@ Download for others allows teachers or IT admins to download an app that they ca Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. **To check for app updates** + 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. -  +  3. Click **Check for updates**, and install all available updates. -  +  4. Restart the computer before installing Minecraft: Education Edition. @@ -238,8 +247,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. -  - +  2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. 4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index b20485075a..d1af5ba608 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -105,8 +105,6 @@ When running tests in this mode, keep the following in mind: - Permissive mode is not supported in kiosk mode (dedicated test account). - Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode. -See [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info. - ## Learn more [Take a Test API](/windows/uwp/apps-for-education/take-a-test-api) \ No newline at end of file diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 10e2d2f7e0..b32de08fcb 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -252,7 +252,7 @@ One of the ways you can present content in a locked down manner is by embedding 3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters. - See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info. + For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode). ### Create a shortcut for the test link You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps: diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 9d26301975..1ebd02e090 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -113,7 +113,7 @@ One of the ways you can present content in a locked down manner is by embedding 3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters. - See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info. + For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode). ### Create a shortcut for the test link diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index f9ba6a9479..50853a9e67 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -74,5 +74,5 @@ To exit the Take a Test app at any time, press Ctrl+Alt+Delete. ## Get more info -- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms) to find out how. +- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d) to find out how. - To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index f64a279787..6f271715c9 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -20,7 +20,7 @@ manager: dansimp - Windows 10 -Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). +Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 67a2d8f5cb..7da2e85c29 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -447,7 +447,7 @@ In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink :::image type="content" alt-text="Check that the device appears in Intune." source="images/intune_groups_devices_list.png"::: ## 3. Manage device settings and features -You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). +You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/mem/intune/configuration/device-profiles). In this section, we'll show you how to reconfigure app deployment settings and add a new policy that will disable the camera for the Intune-managed devices and turn off Windows Hello and PINs during setup. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 4dbf952dd9..cbda9f3cbe 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -346,7 +346,7 @@ This process will recreate both the local and network locations for AppData and In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client. -This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/download/details.aspx?id=38177). +This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Endpoint Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications). The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index f574f36790..0edc5463b0 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -11,7 +11,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz ms.topic: article ---- +--- # Automatically clean up unpublished packages on the App-V client [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] @@ -62,5 +62,5 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App ## Related topics - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186) +- [Deploying App-V for Windows client](appv-deploying-appv.md) - [Using the App-V Client Management Console](appv-using-the-client-management-console.md) diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index b047bdfd4b..6b86fc2b2e 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -26,7 +26,7 @@ This article will tell you how to configure the App-V client to receive updates ## Configure the App-V client to receive updates from the publishing server 1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to create a connection group](appv-create-a-connection-group.md). -2. To open the management console, open a web browser and enter the following URL:
The root node for the Policy configuration service provider. +The root node for the Policy configuration service provider. -
Supported operation is Get. +Supported operation is Get. **Policy/Config** -
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value. -
Supported operation is Get. +Supported operation is Get. **Policy/Config/_AreaName_** -
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/Config/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +Specifies the name/value pair used in the policy. -
The following list shows some tips to help you when configuring policies: +The following list shows some tips to help you when configuring policies: -- Separate substring values by the Unicode &\#xF000; in the XML file. +- Separate substring values by the Unicode &\#xF000; in the XML file. -> [!NOTE] -> A query from a different caller could provide a different value as each caller could have different values for a named policy. + > [!NOTE] + > A query from a different caller could provide a different value as each caller could have different values for a named policy. -- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. -- Supported operations are Add, Get, Delete, and Replace. -- Value type is string. +- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. +- Supported operations are Add, Get, Delete, and Replace. +- Value type is string. **Policy/Result** -
Groups the evaluated policies from all providers that can be configured. +Groups the evaluated policies from all providers that can be configured. -
Supported operation is Get. +Supported operation is Get. **Policy/Result/_AreaName_** -
The area group that can be configured by a single technology independent of the providers. +The area group that can be configured by a single technology independent of the providers. -
Supported operation is Get. +Supported operation is Get. **Policy/Result/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +Specifies the name/value pair used in the policy. -
Supported operation is Get. +Supported operation is Get. **Policy/ConfigOperations** -
Added in Windows 10, version 1703. The root node for grouping different configuration operations. +Added in Windows 10, version 1703. The root node for grouping different configuration operations. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
+Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
-
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_** -
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. +Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. +Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. -
Supported operations are Add and Get. Does not support Delete. +Supported operations are Add and Get. Does not support Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. +Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. - -
Supported operations are Add and Get. Does not support Delete. +Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. +Supported operations are Add and Get. Does not support Delete. ## Policies diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 53f46805cf..f23dbf7f6b 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - AboveLock - -
@@ -123,3 +121,6 @@ The following list shows the supported values: +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ffbfabf801..2a640df633 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Accounts -description: Learn about the Policy configuration service provider (CSP). This articles describes account policies. +description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -169,4 +169,8 @@ The following list shows the supported values: - \ No newline at end of file + + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 352549f4d0..6c81fc9eb0 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -67,7 +67,8 @@ If you enable this setting, the administrator can create a list of approved Acti If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. -Note: Wild card characters cannot be used when specifying the host URLs. +>[!Note] +> Wild card characters cannot be used when specifying the host URLs. @@ -85,3 +86,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 01c897def4..caad440929 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_ActiveXInstallService -description: Policy CSP - ADMX_ActiveXInstallService +description: Learn about the Policy CSP - ADMX_ActiveXInstallService. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -89,3 +89,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index cda9438358..28216b6769 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_AddRemovePrograms -description: Policy CSP - ADMX_AddRemovePrograms +description: Learn about the Policy CSP - ADMX_AddRemovePrograms. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -93,7 +93,7 @@ The policy setting specifies the category of programs that appears when users op To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. -If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need. +If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need. > [!NOTE] > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. @@ -150,7 +150,7 @@ ADMX Info: This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. -If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. +If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option will be available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. @@ -207,7 +207,7 @@ ADMX Info: This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. -If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. +If you disable this setting or don't configure it, "Add programs from Microsoft" is available to all users. This setting doesn't prevent users from using other tools and methods to connect to Windows Update. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. @@ -265,9 +265,9 @@ ADMX Info: This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. -If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. +If you enable this setting, users can't tell which programs have been published by the system administrator, and they can't use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. -If you disable this setting or do not configure it, "Add programs from your network" is available to all users. +If you disable this setting or don't configure it, "Add programs from your network" is available to all users. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. @@ -322,9 +322,9 @@ ADMX Info: -This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. -If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. +If you disable this setting or don't configure it, the Add New Programs button will be available to all users. This setting doesn't prevent users from using other tools and methods to install programs. @@ -379,7 +379,7 @@ ADMX Info: This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. -If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. +If you disable this setting or don't configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting doesn't prevent users from using other tools and methods to install or uninstall programs. @@ -432,9 +432,9 @@ ADMX Info: -This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. -If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. +If you disable this setting or don't configure it, the Set Program Access and Defaults button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. @@ -488,9 +488,9 @@ ADMX Info: -This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. -If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. +If you disable this setting or don't configure it, the Change or Remove Programs page is available to all users. This setting doesn't prevent users from using other tools and methods to delete or uninstall programs. @@ -543,9 +543,9 @@ ADMX Info: -This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that haven't been configured and offers users easy access to the configuration tools. -If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. +If you disable this setting or don't configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting doesn't prevent users from using other methods to configure services. > [!NOTE] > When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. @@ -603,7 +603,7 @@ ADMX Info: This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. -If you disable this setting or do not configure it, the Support Info hyperlink appears. +If you disable this setting or don't configure it, the Support Info hyperlink appears. > [!NOTE] > Not all programs provide a support information hyperlink. @@ -658,9 +658,9 @@ ADMX Info: -This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. -If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. +If you disable this setting or don't configure it, the Add/Remove Windows Components button is available to all users. This setting doesn't prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. @@ -687,3 +687,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index 4701b9088a..f8dee79bd9 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_AdmPwd -description: Policy CSP - ADMX_AdmPwd +description: Learn about the Policy CSP - ADMX_AdmPwd. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -73,7 +73,7 @@ manager: dansimp When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. -When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. +When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. @@ -160,7 +160,7 @@ ADMX Info: When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. -When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. +When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. @@ -225,3 +225,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index f77ed606ef..c4a14678bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -98,7 +98,7 @@ This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.e You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. -If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run. +If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components can't run. If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer. @@ -151,7 +151,7 @@ This policy setting controls the visibility of the Program Compatibility propert The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. -Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. +Enabling this policy setting removes the property page from the context-menus, but doesn't affect previous compatibility settings applied to application using this interface. @@ -247,13 +247,13 @@ ADMX Info: The policy setting controls the state of the Switchback compatibility engine in the system. -Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. +Switchback is a mechanism that provides generic compatibility mitigation to older applications by providing older behavior to old applications and new behavior to new applications. Switchback is on by default. -If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. +If you enable this policy setting, Switchback will be turned off. Turning off Switchback may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they're using. -If you disable or do not configure this policy setting, the Switchback will be turned on. +If you disable or don't configure this policy setting, the Switchback will be turned on. Reboot the system after changing the setting to ensure that your system accurately reflects those changes. @@ -298,13 +298,13 @@ ADMX Info: This policy setting controls the state of the application compatibility engine in the system. -The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. +The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a known problem. -Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed. +Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed. -The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. +The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly. -This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. +This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using. It's particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. > [!NOTE] > Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes. @@ -350,7 +350,7 @@ ADMX Info: -This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +This policy setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. @@ -395,9 +395,9 @@ ADMX Info: This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. -If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. +If you enable this policy setting, the PCA will be turned off. The user won't be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. -If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +If you disable or don't configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. > [!NOTE] > The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. @@ -449,7 +449,7 @@ Steps Recorder keeps a record of steps taken by the user. The data generated by If you enable this policy setting, Steps Recorder will be disabled. -If you disable or do not configure this policy setting, Steps Recorder will be enabled. +If you disable or don't configure this policy setting, Steps Recorder will be enabled. @@ -496,9 +496,9 @@ This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. -If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. +If you enable this policy setting, the Inventory Collector will be turned off and data won't be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. -If you disable or do not configure this policy setting, the Inventory Collector will be turned on. +If you disable or don't configure this policy setting, the Inventory Collector will be turned on. > [!NOTE] > This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. @@ -519,3 +519,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 158948b963..7dc13ae3e1 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_AppxPackageManager -description: Policy CSP - ADMX_AppxPackageManager +description: Learn about the Policy CSP - ADMX_AppxPackageManager. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -63,16 +63,16 @@ manager: dansimp This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. -Special profiles are the following user profiles, where changes are discarded after the user signs off: +Special profiles are the following user profiles where changes are discarded after the user signs off: -- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies -- Mandatory user profiles and super-mandatory profiles, which are created by an administrator -- Temporary user profiles, which are created when an error prevents the correct profile from loading -- User profiles for the Guest account and members of the Guests group +- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies. +- Mandatory user profiles and super-mandatory profiles, which are created by an administrator. +- Temporary user profiles, which are created when an error prevents the correct profile from loading. +- User profiles for the Guest account and members of the Guests group. If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. -If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. +If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. @@ -89,4 +89,8 @@ ADMX Info:
- \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 4cc5ed5e0b..4095c01ad1 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_AppXRuntime -description: Policy CSP - ADMX_AppXRuntime +description: Learn about the Policy CSP - ADMX_AppXRuntime. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -72,7 +72,7 @@ manager: dansimp This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. -If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. +If you enable this policy setting, you can define more Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. @@ -117,11 +117,11 @@ ADMX Info: -This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. -If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. +If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps. -If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. +If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. @@ -164,9 +164,9 @@ ADMX Info: This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. -If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. +If you enable this policy setting, Universal Windows apps that declare Windows Runtime API access in ApplicationContentUriRules section of the manifest can't be launched; Universal Windows apps that haven't declared Windows Runtime API access in the manifest aren't affected. -If you disable or do not configure this policy setting, all Universal Windows apps can be launched. +If you disable or don't configure this policy setting, all Universal Windows apps can be launched. > [!WARNING] > This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. @@ -211,11 +211,11 @@ ADMX Info: -This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. -If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. +If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. -If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. +If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. > [!NOTE] > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. @@ -236,3 +236,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index c73a012b15..a54fcdbac7 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_AttachmentManager -description: Policy CSP - ADMX_AttachmentManager +description: Learn about the Policy CSP - ADMX_AttachmentManager. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -77,13 +77,13 @@ This policy setting allows you to configure the logic that Windows uses to deter Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. -Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation that will cause users to see more trust prompts than choosing the other options. If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +If you don't configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. @@ -126,17 +126,15 @@ ADMX Info: This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. -High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. - -Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. - -Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. +- High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. +- Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. +- Low Risk: If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. If you enable this policy setting, you can specify the default risk level for file types. If you disable this policy setting, Windows sets the default risk level to moderate. -If you do not configure this policy setting, Windows sets the default risk level to moderate. +If you don't configure this policy setting, Windows sets the default risk level to moderate. @@ -183,7 +181,7 @@ If you enable this policy setting, you can create a custom list of high-risk fil If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. -If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. +If you don't configure this policy setting, Windows uses its built-in list of high-risk file types. @@ -224,13 +222,13 @@ ADMX Info: -This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. If you disable this policy setting, Windows uses its default trust logic. -If you do not configure this policy setting, Windows uses its default trust logic. +If you don't configure this policy setting, Windows uses its default trust logic. @@ -273,11 +271,11 @@ ADMX Info: This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can specify file types which pose a moderate risk. +If you enable this policy setting, you can specify file types that pose a moderate risk. If you disable this policy setting, Windows uses its default trust logic. -If you do not configure this policy setting, Windows uses its default trust logic. +If you don't configure this policy setting, Windows uses its default trust logic. @@ -294,3 +292,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index c0329444bd..ba5bd6916e 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_AuditSettings -description: Policy CSP - ADMX_AuditSettings +description: Learn about the Policy CSP - ADMX_AuditSettings. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -65,7 +65,7 @@ This policy setting determines what information is logged in security audit even If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. -If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. +If you disable or don't configure this policy setting, the process's command line information will not be included in Audit Process Creation events. Default is Not configured. @@ -88,3 +88,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index db8592a2d7..e3301c9321 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Bits -description: Policy CSP - ADMX_Bits +description: Learn about the Policy CSP - ADMX_Bits. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -102,9 +102,9 @@ manager: dansimp This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. -If you enable this policy setting, the BITS client does not use Windows Branch Cache. +If you enable this policy setting, the BITS client doesn't use Windows Branch Cache. -If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. +If you disable or don't configure this policy setting, the BITS client uses Windows Branch Cache. > [!NOTE] > This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. @@ -152,7 +152,7 @@ This policy setting specifies whether the computer will act as a BITS peer cachi If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. -If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. +If you disable or don't configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. > [!NOTE] > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. @@ -201,7 +201,7 @@ This policy setting specifies whether the computer will act as a BITS peer cachi If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. -If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. +If you disable or don't configure this policy setting, the computer will offer downloaded and cached files to its peers. > [!NOTE] > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. @@ -251,9 +251,9 @@ This policy setting determines if the Background Intelligent Transfer Service (B If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. -If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. +If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it's possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. -If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. +If you disable or don't configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. @@ -296,15 +296,15 @@ ADMX Info: -This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server). -To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. +To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. -If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. +If you disable this policy setting or don't configure it, the default value of 30 percent of the slowest active network interface will be used. > [!NOTE] > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. @@ -354,7 +354,7 @@ If you enable this policy setting, you can define a separate set of network band You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. -If you disable or do not configure this policy setting, the limits defined for work or non-work schedules will be used. +If you disable or don't configure this policy setting, the limits defined for work or non-work schedules will be used. > [!NOTE] > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. @@ -399,13 +399,13 @@ ADMX Info: -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that aren't defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours. -If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. +If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers. @@ -451,7 +451,7 @@ This policy setting limits the maximum amount of disk space that can be used for If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. -If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. +If you disable or don't configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. > [!NOTE] > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. @@ -495,11 +495,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that haven't been accessed in the past 90 days. If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. -If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. +If you disable or don't configure this policy setting, files that haven't been accessed for the past 90 days will be removed from the peer cache. > [!NOTE] > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. @@ -551,7 +551,7 @@ By default BITS uses a maximum download time of 90 days (7,776,000 seconds). If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. -If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. +If you disable or don't configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. @@ -593,11 +593,11 @@ ADMX Info: -This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS job can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. -If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. +If you disable or don't configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. > [!NOTE] > BITS Jobs created by services and the local administrator account do not count toward this limit. @@ -646,7 +646,7 @@ This policy setting limits the number of BITS jobs that can be created for all u If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. -If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. +If you disable or don't configure this policy setting, BITS will use the default BITS job limit of 300 jobs. > [!NOTE] > BITS jobs created by services and the local administrator account do not count toward this limit. @@ -695,7 +695,7 @@ This policy setting limits the number of BITS jobs that can be created by a user If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. -If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. +If you disable or don't configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. > [!NOTE] > This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. @@ -744,7 +744,7 @@ This policy setting limits the number of ranges that can be added to a file in a If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. -If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. +If you disable or don't configure this policy setting, BITS will limit ranges to 500 ranges per file. > [!NOTE] > BITS Jobs created by services and the local administrator account do not count toward this limit. @@ -766,3 +766,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index d5f0761d38..91b1d7c6aa 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_CipherSuiteOrder -description: Policy CSP - ADMX_CipherSuiteOrder +description: Learn about the Policy CSP - ADMX_CipherSuiteOrder. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -146,4 +146,8 @@ ADMX Info:
- \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 7666143850..45c2e3e28b 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_COM -description: Policy CSP - ADMX_COM +description: Learn about the Policy CSP - ADMX_COM. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -66,11 +66,11 @@ manager: dansimp This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. +If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -118,11 +118,11 @@ ADMX Info: This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. +If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -141,3 +141,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 4d63de3739..0ff16b2feb 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_ControlPanel -description: Policy CSP - ADMX_ControlPanel +description: Learn about the Policy CSP - ADMX_ControlPanel. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -82,7 +82,9 @@ To hide a Control Panel item, enable this policy setting and click Show to acces If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. > [!NOTE] -> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> +>To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. @@ -130,7 +132,7 @@ If this policy setting is enabled, the Control Panel opens to the icon view. If this policy setting is disabled, the Control Panel opens to the category view. -If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. +If this policy setting isn't configured, the Control Panel opens to the view used in the last Control Panel session. > [!NOTE] > Icon size is dependent upon what the user has set it to in the previous session. @@ -177,7 +179,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. -This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users can't start Control Panel or PC settings, or run any of their items. This setting removes Control Panel from: @@ -260,4 +262,8 @@ ADMX Info:
- \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 4ffc124899..e8e6178c75 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_ControlPanelDisplay -description: Policy CSP - ADMX_ControlPanelDisplay +description: Learn about the Policy CSP - ADMX_ControlPanelDisplay. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -130,9 +130,9 @@ manager: dansimp -Disables the Display Control Panel. +This policy setting disables the Display Control Panel. -If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. +If you enable this setting, the Display Control Panel doesn't run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. @@ -176,7 +176,7 @@ ADMX Info: -Removes the Settings tab from Display in Control Panel. +This setting removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. @@ -222,9 +222,9 @@ ADMX Info: This setting forces the theme color scheme to be the default color scheme. -If you enable this setting, a user cannot change the color scheme of the current desktop theme. +If you enable this setting, a user can't change the color scheme of the current desktop theme. -If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. +If you disable or don't configure this setting, a user may change the color scheme of the current desktop theme. For Windows 7 and later, use the "Prevent changing color and appearance" setting. @@ -269,12 +269,12 @@ ADMX Info: This setting disables the theme gallery in the Personalization Control Panel. -If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). +If you enable this setting, users can't change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). -If you disable or do not configure this setting, there is no effect. +If you disable or don't configure this setting, there's no effect. > [!NOTE] -> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. +> If you enable this setting but don't specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. @@ -315,7 +315,7 @@ ADMX Info: -Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. +This policy setting prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. @@ -360,11 +360,11 @@ ADMX Info: -Enables desktop screen savers. +This policy setting enables desktop screen savers. -If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. +If you disable this setting, screen savers don't run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users can't change the screen saver options. -If you do not configure it, this setting has no effect on the system. +If you don't configure it, this setting has no effect on the system. If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. @@ -409,15 +409,16 @@ ADMX Info: -This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. +This setting allows you to force a specific default lock screen and sign-in image by entering the path (location) of the image file. The same image will be used for both the lock and sign-in screens. -This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). +This setting lets you specify the default lock screen and sign-in image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). -To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and sign-in image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. -This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. +This setting can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and sign-in image to be shown. -Note: This setting only applies to Enterprise, Education, and Server SKUs. +>[!NOTE] +> This setting only applies to Enterprise, Education, and Server SKUs. @@ -459,11 +460,11 @@ ADMX Info: -Prevents users from changing the size of the font in the windows and buttons displayed on their screens. +This setting prevents users from changing the size of the font in the windows and buttons displayed on their screens. If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. -If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. +If you disable or don't configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. @@ -504,11 +505,11 @@ ADMX Info: -Prevents users from changing the background image shown when the machine is locked or when on the logon screen. +Prevents users from changing the background image shown when the machine is locked or when on the sign-in screen. -By default, users can change the background image shown when the machine is locked or displaying the logon screen. +By default, users can change the background image shown when the machine is locked or displaying the sign-in screen. -If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. +If you enable this setting, the user won't be able to change their lock screen and sign-in image, and they'll instead see the default image. @@ -549,11 +550,11 @@ ADMX Info: -Prevents users from changing the look of their start menu background, such as its color or accent. +This setting prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. -If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. +If you enable this setting, the user will be assigned the default start menu background and colors and won't be allowed to change them. If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. @@ -598,13 +599,13 @@ ADMX Info: -Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. +This setting disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature isn't available. -This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. +This setting also prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. -For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the Display in Control Panel. @@ -645,7 +646,7 @@ ADMX Info: -Prevents users from adding or changing the background design of the desktop. +This setting prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. @@ -653,7 +654,8 @@ If you enable this setting, none of the Desktop Background settings can be chang To specify wallpaper for a group, use the "Desktop Wallpaper" setting. -Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. +>[!NOTE] +>You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. Also, see the "Allow only bitmapped wallpaper" setting. @@ -696,7 +698,7 @@ ADMX Info: -Prevents users from changing the desktop icons. +This setting prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. @@ -745,9 +747,9 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. -If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. +If you enable this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. -If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. +If you disable or don't configure this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. @@ -788,7 +790,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers. +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from changing the mouse pointers. By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. @@ -833,9 +835,9 @@ ADMX Info: -Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. +This setting prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. -This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. +This setting also prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It doesn't prevent a screen saver from running. @@ -876,7 +878,7 @@ ADMX Info: -Prevents users from changing the sound scheme. +This setting prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. @@ -921,11 +923,11 @@ ADMX Info: -Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. +This setting forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. -If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. +If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users can't change those colors. This setting won't be applied if the specified colors don't meet a contrast ratio of 2:1 with white text. @@ -966,13 +968,13 @@ ADMX Info: -Determines whether screen savers used on the computer are password protected. +This setting determines whether screen savers used on the computer are password protected. -If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. +If you enable this setting, all screen savers are password protected. If you disable this setting, password protection can't be set on any screen saver. This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. -If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. +If you don't configure this setting, users can choose whether or not to set password protection on each screen saver. To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. @@ -1020,17 +1022,15 @@ ADMX Info: Specifies how much user idle time must elapse before the screen saver is launched. -When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver won't be started. This setting has no effect under any of the following circumstances: - The setting is disabled or not configured. - - The wait time is set to zero. - - The "Enable Screen Saver" setting is disabled. -- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. +- The "Screen saver executable name" setting and the Screen Saver dialog of the client computer's Personalization or Display Control Panel don't specify a valid existing screen saver program on the client. When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. @@ -1073,18 +1073,18 @@ ADMX Info: -Specifies the screen saver for the user's desktop. +This setting specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. -If you disable this setting or do not configure it, users can select any screen saver. +If you disable this setting or don't configure it, users can select any screen saver. -If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. +If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file isn't in the %Systemroot%\System32 directory, type the fully qualified path to the file. -If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. +If the specified screen saver isn't installed on a computer to which this setting applies, the setting is ignored. > [!NOTE] -> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers don't run. @@ -1127,9 +1127,9 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. -If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. +If you enable this setting, the theme that you specify will be applied when a new user signs in for the first time. This policy doesn't prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first sign in. -If you disable or do not configure this setting, the default theme will be applied at the first logon. +If you disable or don't configure this setting, the default theme will be applied at the first sign in. @@ -1172,18 +1172,18 @@ ADMX Info: This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. -This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). +This file can be a local computer visual style (aero.msstyles) one, or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. -If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). +If you disable or don't configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). > [!NOTE] -> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. +> If this setting is enabled and the file isn't available at user logon, the default visual style is loaded. > > When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. > -> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you can't apply the Windows Classic visual style. @@ -1228,7 +1228,7 @@ Forces the Start screen to use one of the available backgrounds, 1 through 20, a If this setting is set to zero or not configured, then Start uses the default background, and users can change it. -If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. +If this setting is set to a nonzero value, then Start uses the specified background, and users can't change it. If the specified background isn't supported, the default background is used. @@ -1244,4 +1244,8 @@ ADMX Info:
- \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 6644992e57..18929d3fd6 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -95,9 +95,9 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first signing in to Windows). -If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. +If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any machine. > [!NOTE] > The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. @@ -152,11 +152,11 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows. -If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. +If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. FWlink for KB: https://go.microsoft.com/fwlink/?LinkId=301508 @@ -215,14 +215,14 @@ Some versions of the CredSSP protocol are vulnerable to an encryption oracle att If you enable this policy setting, CredSSP version support will be selected based on the following options: -- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. +- Force Updated Clients: Client applications that use CredSSP won't be able to fall back to the insecure versions and services using CredSSP won't accept unpatched clients. > [!NOTE] > This setting should not be deployed until all remote hosts support the newest version. -- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. +- Mitigated: Client applications that use CredSSP won't be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. -- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. +- Vulnerable: Client applications that use CredSSP will expose the remote servers to attacks by supporting a fallback to the insecure versions and services using CredSSP will accept unpatched clients. For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 @@ -269,11 +269,11 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application). -If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. +If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine. > [!NOTE] > The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. @@ -327,11 +327,11 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application). -If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. +If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine. > [!NOTE] > The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. @@ -385,11 +385,11 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). -If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of saved credentials is not permitted to any machine. +If you disable this policy setting, delegation of saved credentials isn't permitted to any machine. > [!NOTE] > The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. @@ -443,11 +443,11 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). -If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. +If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine isn't a member of any domain. If the client is domain-joined, by default, the delegation of saved credentials isn't permitted to any machine. -If you disable this policy setting, delegation of saved credentials is not permitted to any machine. +If you disable this policy setting, delegation of saved credentials isn't permitted to any machine. > [!NOTE] > The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. @@ -499,12 +499,12 @@ ADMX Info: This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). +If you enable this policy setting, you can specify the servers to which the user's default credentials can't be delegated (default credentials are those credentials that you use when first logging on to Windows). -If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. +If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. > [!NOTE] -> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. > > For Example: > @@ -555,12 +555,12 @@ ADMX Info: This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can't be delegated (fresh credentials are those credentials that you're prompted for when executing the application). -If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. +If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. > [!NOTE] -> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. > > For Example: > @@ -611,12 +611,12 @@ ADMX Info: This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). +If you enable this policy setting, you can specify the servers to which the user's saved credentials can't be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). -If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. +If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. > [!NOTE] -> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. > > For Example: > @@ -665,7 +665,7 @@ ADMX Info: -When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. +When the participating applications are running in Restricted Admin or Remote Credential Guard mode, participating applications don't expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials aren't delegated. Remote Credential Guard doesn't limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client @@ -676,12 +676,12 @@ If you enable this policy setting, the following options are supported: - Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. - Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. -If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. +If you disable or don't configure this policy setting, Restricted Admin and Remote Credential Guard mode aren't enforced and participating apps can delegate credentials to remote devices. > [!NOTE] > To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). > -> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. +> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions don't support Remote Credential Guard. diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index d6bc1bc1fd..a62ce22ddd 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -69,9 +69,9 @@ This policy setting requires the user to enter Microsoft Windows credentials usi > [!NOTE] > This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. -If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. +If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism. -If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. +If you disable or don't configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. @@ -112,7 +112,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. +Available in the latest Windows 10 Insider Preview Build. If you turn on this policy setting, local users won’t be able to set up and use security questions to reset their passwords. diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 7bdb85337f..89ce54faf5 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -72,7 +72,7 @@ manager: dansimp This policy setting prevents users from changing their Windows password on demand. -If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. +If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del. However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. @@ -119,11 +119,11 @@ ADMX Info: This policy setting prevents users from locking the system. -While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. +While locked, the desktop is hidden and the system can't be used. Only the user who locked the system or the system administrator can unlock it. -If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del. +If you enable this policy setting, users can't lock the computer from the keyboard using Ctrl+Alt+Del. -If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. +If you disable or don't configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. > [!TIP] > To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. @@ -170,9 +170,9 @@ This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. -If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. +If you enable this policy setting, users won't be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. -If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. +If you disable or don't configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -215,11 +215,11 @@ ADMX Info: This policy setting disables or removes all menu items and buttons that log the user off the system. -If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. +If you enable this policy setting, users won't see the Log off menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu. Also, see the 'Remove Logoff on the Start Menu' policy setting. -If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. +If you disable or don't configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 280a763699..33f7687705 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -63,9 +63,9 @@ manager: dansimp This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. -If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. +If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. -If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. +If you disable or don't configure this policy setting, then Microsoft won't be able to use this identifier to associate this machine and its telemetry data with your organization. diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 4efe29532e..510d934391 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -66,10 +66,10 @@ manager: dansimp This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. -- If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list. +- If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list. -- If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list. -If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured. +- If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list. +If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured. > [!NOTE] > This policy setting applies to all sites in Trusted zones. @@ -113,25 +113,25 @@ ADMX Info: -This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check. +This policy setting allows you to view and change a list of DCOM server application IDs (app IDs), which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. DCOM server application IDs added to this policy must be listed in curly brace format. For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. -If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors. +If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors. - If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. -If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server. -If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local +If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server. +If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. - If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. -If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. -This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. +If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. +This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid. -DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. +DCOM servers added to this exemption list are only exempted if their custom launch permissions don't contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. > [!NOTE] > Exemptions for DCOM Server Application IDs added to this list will apply to both 32-bit and 64-bit versions of the server if present. diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 1a66b56054..a7ea8ccda9 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -145,13 +145,13 @@ manager: dansimp -Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying more filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. -If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. +If you disable this setting or don't configure it, the filter bar doesn't appear, but users can display it by selecting "Filter" on the "View" menu. -To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar doesn't appear above the resulting display, on the View menu, click Filter. @@ -197,9 +197,9 @@ Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. -If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. +If you enable this setting, the Active Directory folder doesn't appear in the Network Locations folder. -If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. +If you disable this setting or don't configure it, the Active Directory folder appears in the Network Locations folder. This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. @@ -243,11 +243,11 @@ ADMX Info: -Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those displays in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. -If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. +If you disable this setting or don't configure it, the system displays up to 10,000 objects. This screen-display consumes approximately 2 MB of memory or disk space. This setting is designed to protect the network and the domain controller from the effect of expansive searches. @@ -295,7 +295,7 @@ Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. +If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. > [!NOTE] > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. @@ -343,7 +343,7 @@ Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. +If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. > [!NOTE] > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. @@ -390,7 +390,7 @@ ADMX Info: Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. -This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. +This setting is a comprehensive one that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users can't enable or disable Active Desktop. If Active Desktop is already enabled, users can't add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. @@ -433,9 +433,9 @@ ADMX Info: Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. -Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. +Removing icons and shortcuts doesn't prevent the user from using another method to start the programs or opening the items they represent. -Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. The removal of the Desktop icon will help prevent users from saving data to the Desktop. @@ -479,12 +479,12 @@ ADMX Info: Prevents users from using the Desktop Cleanup Wizard. -If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. +If you enable this setting, the Desktop Cleanup wizard doesn't automatically run on a user's workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. -If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. +If you disable this setting or don't configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. > [!NOTE] -> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. +> When this setting isn't enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. @@ -528,7 +528,7 @@ ADMX Info: Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. -This setting does not prevent the user from starting Internet Explorer by using other methods. +This setting doesn't prevent the user from starting Internet Explorer by using other methods. @@ -576,10 +576,10 @@ If you enable this setting, Computer is hidden on the desktop, the new Start men If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. -If you do not configure this setting, the default is to display Computer as usual. +If you don't configure this setting, the default is to display Computer as usual. > [!NOTE] -> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents doesn't hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. @@ -625,9 +625,9 @@ Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. -This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. +This setting doesn't prevent the user from using other methods to gain access to the contents of the My Documents folder. -This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. +This setting doesn't remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. > [!NOTE] > To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. @@ -673,7 +673,7 @@ ADMX Info: Removes the Network Locations icon from the desktop. -This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. +This setting only affects the desktop icon. It doesn't prevent users from connecting to the network or browsing for shared computers on the network. > [!NOTE] > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. @@ -720,9 +720,9 @@ ADMX Info: This setting hides Properties on the context menu for Computer. -If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. +If you enable this setting, the Properties option won't be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. -If you disable or do not configure this setting, the Properties option is displayed as usual. +If you disable or don't configure this setting, the Properties option is displayed as usual. @@ -766,13 +766,13 @@ ADMX Info: This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. -If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: +If you enable this policy setting, the Properties menu command won't be displayed when the user does any of the following tasks: - Right-clicks the My Documents icon. - Clicks the My Documents icon, and then opens the File menu. - Clicks the My Documents icon, and then presses ALT+ENTER. -If you disable or do not configure this policy setting, the Properties menu command is displayed. +If you disable or don't configure this policy setting, the Properties menu command is displayed. @@ -814,11 +814,11 @@ ADMX Info: -Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. +Remote shared folders aren't added to Network Locations whenever you open a document in the shared folder. -If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. +If you disable this setting or don't configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. -If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. +If you enable this setting, shared folders aren't added to Network Locations automatically when you open a document in the shared folder. @@ -864,7 +864,7 @@ Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. -This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. +This setting doesn't prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. > [!NOTE] > To make changes to this setting effective, you must log off and then log back on. @@ -910,9 +910,9 @@ ADMX Info: Removes the Properties option from the Recycle Bin context menu. -If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. +If you enable this setting, the Properties option won't be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. -If you disable or do not configure this setting, the Properties option is displayed as usual. +If you disable or don't configure this setting, the Properties option is displayed as usual. @@ -956,7 +956,7 @@ ADMX Info: Prevents users from saving certain changes to the desktop. -If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. +If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, aren't saved when users sign out. However, shortcuts placed on the desktop are always saved. @@ -1000,9 +1000,9 @@ ADMX Info: Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. -If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. +If you enable this policy, application windows won't be minimized or restored when the active window is shaken back and forth with the mouse. -If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. +If you disable or don't configure this policy, this window minimizing and restoring gesture will apply. @@ -1047,14 +1047,14 @@ Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. -To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. +To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file isn't available when the user logs on, no wallpaper is displayed. Users can't specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users can't change this specification. -If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. +If you disable this setting or don't configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. > [!NOTE] -> This setting does not apply to remote desktop server sessions. +> This setting doesn't apply to remote desktop server sessions. @@ -1097,7 +1097,7 @@ ADMX Info: Prevents users from adding Web content to their Active Desktop. -This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. +This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. This setting doesn't remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. Also, see the "Disable all items" setting. @@ -1142,12 +1142,12 @@ ADMX Info: Prevents users from removing Web content from their Active Desktop. -In Active Desktop, you can add items to the desktop but close them so they are not displayed. +In Active Desktop, you can add items to the desktop but close them so they aren't displayed. -If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. +If you enable this setting, items added to the desktop can't be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. > [!NOTE] -> This setting does not prevent users from deleting items from their Active Desktop. +> This setting doesn't prevent users from deleting items from their Active Desktop. @@ -1193,7 +1193,7 @@ Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. -This setting does not prevent users from adding Web content to their Active Desktop. +This setting doesn't prevent users from adding Web content to their Active Desktop. Also, see the "Prohibit closing items" and "Disable all items" settings. @@ -1239,7 +1239,7 @@ ADMX Info: Prevents users from changing the properties of Web content items on their Active Desktop. -This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. +This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users can't change the properties of an item, such as its synchronization schedule, password, or display characteristics. @@ -1283,10 +1283,10 @@ ADMX Info: Removes Active Desktop content and prevents users from adding Active Desktop content. -This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. +This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. > [!NOTE] -> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. +> This setting doesn't disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. @@ -1335,10 +1335,10 @@ You can use the "Add" box in this setting to add particular Web-based items or s You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. > [!NOTE] -> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. +> Removing an item from the "Add" list for this setting isn't the same as deleting it. Items that are removed from the "Add" list aren't removed from the desktop. They are simply not added again. > [!NOTE] -> For this setting to take affect, you must log off and log on to the system. +> For this setting to take effect, you must log off and log on to the system. @@ -1382,7 +1382,7 @@ ADMX Info: Prevents users from manipulating desktop toolbars. -If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. +If you enable this setting, users can't add or remove toolbars from the desktop. Also, users can't drag toolbars onto or off from the docked toolbars. > [!NOTE] > If users have added or removed toolbars, this setting prevents them from restoring the default configuration. @@ -1432,9 +1432,9 @@ ADMX Info: -Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. +Prevents users from adjusting the length of desktop toolbars. Also, users can't reposition items or toolbars on docked toolbars. -This setting does not prevent users from adding or removing toolbars on the desktop. +This setting doesn't prevent users from adding or removing toolbars on the desktop. > [!NOTE] > If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. @@ -1481,7 +1481,7 @@ ADMX Info: -Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper doesn't load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 6ef592107b..5ac4d423c2 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -65,12 +65,12 @@ This policy setting lets you deploy a Code Integrity Policy to a machine to cont If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. -To enable this policy the machine must be rebooted. +To enable this policy, the machine must be rebooted. The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`), or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`. The local machine account (LOCAL SYSTEM) must have access permission to the policy file. -If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: +If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: 1. First update the policy to a non-protected policy and then disable the setting. 2. Disable the setting and then remove the policy from each computer, with a physically present user. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 596d4df2ed..62efd762ae 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -86,7 +86,7 @@ This policy setting allows you to determine whether members of the Administrator If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. +If you disable or don't configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. @@ -132,7 +132,7 @@ This policy setting allows you to display a custom message to users in a notific If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. -If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. +If you disable or don't configure this policy setting, Windows displays a default message when a policy setting prevents device installation. @@ -178,7 +178,7 @@ This policy setting allows you to display a custom message title in a notificati If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. -If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. +If you disable or don't configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. @@ -224,7 +224,7 @@ This policy setting allows you to configure the number of seconds Windows waits If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. -If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. +If you disable or don't configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. @@ -268,11 +268,11 @@ ADMX Info: This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. -If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. +If you enable this policy setting, set the number of seconds you want the system to wait until a reboot. -If you disable or do not configure this policy setting, the system does not force a reboot. +If you disable or don't configure this policy setting, the system doesn't force a reboot. -Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. +Note: If no reboot is forced, the device installation restriction right won't take effect until the system is restarted. @@ -314,11 +314,11 @@ ADMX Info: -This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. +If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices can't have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. @@ -361,9 +361,9 @@ ADMX Info: This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. -If you enable this policy setting, Windows does not create a system restore point when one would normally be created. +If you enable this policy setting, Windows doesn't create a system restore point when one would normally be created. -If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. +If you disable or don't configure this policy setting, Windows creates a system restore point as it normally would. @@ -409,7 +409,7 @@ This policy setting specifies a list of device setup class GUIDs describing devi If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. -If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. +If you disable or don't configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index ae07cf6eb3..c54fe1375e 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -66,9 +66,9 @@ manager: dansimp This policy setting allows you to turn off "Found New Hardware" balloons during device installation. -If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. +If you enable this policy setting, "Found New Hardware" balloons don't appear while a device is being installed. -If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. +If you disable or don't configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. @@ -114,9 +114,9 @@ This policy setting allows you to specify the order in which Windows searches so If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. -Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. +Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system. -If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. +If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 731f55b062..fafc357e89 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -68,9 +68,9 @@ This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker will not run. +If you enable this setting, Digital Locker won't run. -If you disable or do not configure this setting, Digital Locker can be run. +If you disable or don't configure this setting, Digital Locker can be run. @@ -116,9 +116,9 @@ This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker will not run. +If you enable this setting, Digital Locker won't run. -If you disable or do not configure this setting, Digital Locker can be run. +If you disable or don't configure this setting, Digital Locker can be run. diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 87b9aee1a3..6e82fec127 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -67,14 +67,14 @@ manager: dansimp -This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. +This policy setting turns off the boot and resumes optimizations for the hybrid hard disks in the system. -If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. +If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume. If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot and resume. -The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. +The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. This policy setting is applicable only if the NV cache feature is on. @@ -119,11 +119,11 @@ This policy setting turns off all support for the non-volatile (NV) cache on all To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. -If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. +If you enable this policy setting, the system won't manage the NV cache and won't enable NV cache power saving mode. If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. -This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. +This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache. @@ -170,9 +170,9 @@ This policy setting turns off the solid state mode for the hybrid hard disks. If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. -If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. +If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. -This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. +This usage can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index cc4ff2f0b5..5982c438b4 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -79,7 +79,7 @@ manager: dansimp This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. -If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. +If you disable or don't configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. @@ -124,13 +124,13 @@ ADMX Info: This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. -If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. +If you enable this policy setting, disk quota management is turned on, and users can't turn it off. -If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on. +If you disable the policy setting, disk quota management is turned off, and users can't turn it on. When this policy setting isn't configured then the disk quota management is turned off by default, and the administrators can turn it on. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. -This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. +This policy setting turns on disk quota management but doesn't establish or enforce a particular disk quota limit. To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. @@ -180,9 +180,9 @@ This policy setting determines whether disk quota limits are enforced and preven If you enable this policy setting, disk quota limits are enforced. -If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. +If you disable this policy setting, disk quota limits aren't enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators can't make changes while the setting is in effect. -If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. +If you don't configure this policy setting, the disk quota limit isn't enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. This policy setting overrides user settings that enable or disable quota enforcement on their volumes. @@ -232,9 +232,9 @@ This policy setting determines whether the system records an event in the local If you enable this policy setting, the system records an event when the user reaches their limit. -If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. +If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators can't change the setting while a setting is in effect. If you don't configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. -This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their limit, because their status in the Quota Entries window changes. To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. @@ -282,9 +282,9 @@ This policy setting determines whether the system records an event in the Applic If you enable this policy setting, the system records an event. -If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. +If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators can't change logging while a policy setting is in effect. -If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. +If you don't configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their warning level because their status in the Quota Entries window changes. To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. @@ -332,11 +332,11 @@ This policy setting specifies the default disk quota limit and warning level for This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. -This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). +This policy setting applies to all new users as soon as they write to the volume. It doesn't affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). -If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. +If you disable or don't configure this policy setting, the disk space available to users isn't limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it's reasonable for the range of volumes in the group. -This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas aren't enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 5c192b7816..ff67fc4f25 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -64,7 +64,7 @@ manager: dansimp This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. -This policy should not be set unless the DLT server is running on all domain controllers in the domain. +This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain. > [!NOTE] > This policy setting applies to all sites in Trusted zones. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 89e960919b..8410109042 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -127,7 +127,7 @@ This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issue If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. -If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. +If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. @@ -180,7 +180,7 @@ If you enable this policy setting, suffixes are allowed to be appended to an unq If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. -If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. +If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. @@ -225,7 +225,7 @@ This policy setting specifies a connection-specific DNS suffix. This policy sett If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. +If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. @@ -273,22 +273,22 @@ With devolution, a DNS client creates queries by appending a single-label, unqua The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. -Devolution is not enabled if a global suffix search list is configured using Group Policy. +Devolution isn't enabled if a global suffix search list is configured using Group Policy. -If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: +If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: - The primary DNS suffix, as specified on the Computer Name tab of the System control panel. - Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. -If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. +If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. -If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. +If you disable this policy setting or don't configure it, DNS clients use the default devolution level of two if DNS devolution is enabled. @@ -333,9 +333,9 @@ ADMX Info: This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. -If this policy setting is enabled, IDNs are not converted to Punycode. +If this policy setting is enabled, IDNs aren't converted to Punycode. -If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. +If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. @@ -381,7 +381,7 @@ This policy setting specifies whether the DNS client should convert internationa If this policy setting is enabled, IDNs are converted to the Nameprep form. -If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. +If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form. @@ -429,7 +429,7 @@ To use this policy setting, click Enabled, and then enter a space-delimited list If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. +If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. @@ -475,7 +475,7 @@ This policy setting specifies that responses from link local name resolution pro If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. -If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. +If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. > [!NOTE] > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. @@ -531,7 +531,7 @@ If you enable this policy setting, it supersedes the primary DNS suffix configur You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. -If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. +If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined. @@ -576,13 +576,13 @@ This policy setting specifies if a computer performing dynamic DNS registration By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. -If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. +If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This suffix-update applies to all network connections used by computers that receive this policy setting. For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. -If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. +If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix. @@ -631,11 +631,11 @@ If you enable this policy setting, registration of PTR records will be determine To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: -- Do not register: Computers will not attempt to register PTR resource records -- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. +- don't register: Computers won't attempt to register PTR resource records +- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful. - Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. -If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. +If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings. @@ -678,7 +678,7 @@ ADMX Info: This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. -If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. +If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. @@ -724,13 +724,13 @@ ADMX Info: This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. -This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. +This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers. -During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. +During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. -If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. +If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. -If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. +If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer. @@ -774,7 +774,7 @@ ADMX Info: This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. -Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. +Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records. > [!WARNING] > If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. @@ -783,7 +783,7 @@ To specify the registration refresh interval, click Enabled and then enter a val If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. +If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. @@ -831,7 +831,7 @@ To specify the TTL, click Enabled and then enter a value in seconds (for example If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). +If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). @@ -875,7 +875,7 @@ ADMX Info: This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. -An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." +An unqualified single-label name contains no dots. The name "example" is a single-label name. This name is different from a fully qualified domain name such as "example.microsoft.com." Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." @@ -883,7 +883,7 @@ To use this policy setting, click Enabled, and then enter a string value represe If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. -If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. +If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. @@ -926,11 +926,11 @@ ADMX Info: -This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. If multiple positive responses are received, the network binding order is used to determine which response to accept. -If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. +If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. -If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. +If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. @@ -976,7 +976,7 @@ This policy setting specifies that the DNS client should prefer responses from l If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. -If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. +If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. > [!NOTE] > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. @@ -1030,7 +1030,7 @@ To use this policy setting, click Enabled and then select one of the following v If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. +If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. @@ -1078,7 +1078,7 @@ By default, a DNS client that is configured to perform dynamic DNS update will u If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. -If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. +If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. @@ -1126,9 +1126,9 @@ With devolution, a DNS client creates queries by appending a single-label, unqua The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. -Devolution is not enabled if a global suffix search list is configured using Group Policy. +Devolution isn't enabled if a global suffix search list is configured using Group Policy. -If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: +If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: The primary DNS suffix, as specified on the Computer Name tab of the System control panel. @@ -1136,13 +1136,13 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. -If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. +If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. -If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. -If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. @@ -1186,11 +1186,11 @@ ADMX Info: This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. -LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. +LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible. If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. -If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. +If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters. diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 94017ac6c2..10b9761d52 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -76,11 +76,11 @@ manager: dansimp -This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user doesn't specify a color. -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. +If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color. -If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. +If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color. > [!NOTE] > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. @@ -125,11 +125,11 @@ ADMX Info: -This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user doesn't specify a color. -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. +If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color. -If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. +If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color. > [!NOTE] > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. @@ -178,9 +178,9 @@ This policy setting controls the appearance of window animations such as those f If you enable this policy setting, window animations are turned off. -If you disable or do not configure this policy setting, window animations are turned on. +If you disable or don't configure this policy setting, window animations are turned on. -Changing this policy setting requires a logoff for it to be applied. +Changing this policy setting requires a sign out for it to be applied. @@ -226,9 +226,9 @@ This policy setting controls the appearance of window animations such as those f If you enable this policy setting, window animations are turned off. -If you disable or do not configure this policy setting, window animations are turned on. +If you disable or don't configure this policy setting, window animations are turned on. -Changing this policy setting requires a logoff for it to be applied. +Changing this policy setting requires out a sign for it to be applied. @@ -274,7 +274,7 @@ This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. -If you disable or do not configure this policy setting, you allow users to change the default window frame color. +If you disable or don't configure this policy setting, you allow users to change the default window frame color. > [!NOTE] > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. @@ -323,7 +323,7 @@ This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. -If you disable or do not configure this policy setting, you allow users to change the default window frame color. +If you disable or don't configure this policy setting, you allow users to change the default window frame color. > [!NOTE] > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 4a47e54126..21ee8c0b36 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -96,9 +96,9 @@ manager: dansimp This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. -If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. +If you enable this policy setting, Non-Publishing Standard Glyph isn't included in the candidate list when Publishing Standard Glyph for the word exists. -If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. +If you disable or don't configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. This policy setting applies to Japanese Microsoft IME only. @@ -161,7 +161,7 @@ If you enable this policy setting, then only the character code ranges specified - 0x1000 // IVS char - 0xFFFF // no definition. -If you disable or do not configure this policy setting, no range of characters are filtered by default. +If you disable or don't configure this policy setting, no range of characters are filtered by default. This policy setting applies to Japanese Microsoft IME only. @@ -210,9 +210,9 @@ ADMX Info: This policy setting allows you to turn off the ability to use a custom dictionary. -If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. +If you enable this policy setting, you can't add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. -If you disable or do not configure this policy setting, the custom dictionary can be used by default. +If you disable or don't configure this policy setting, the custom dictionary can be used by default. For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. @@ -265,7 +265,7 @@ This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. -If you disable or do not configure this policy setting, history-based predictive input is on by default. +If you disable or don't configure this policy setting, history-based predictive input is on by default. This policy setting applies to Japanese Microsoft IME only. @@ -315,9 +315,9 @@ This policy setting allows you to turn off Internet search integration. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. -If you enable this policy setting, you cannot use search integration. +If you enable this policy setting, you can't use search integration. -If you disable or do not configure this policy setting, the search integration function can be used by default. +If you disable or don't configure this policy setting, the search integration function can be used by default. This policy setting applies to Japanese Microsoft IME. @@ -366,11 +366,11 @@ ADMX Info: This policy setting allows you to turn off Open Extended Dictionary. -If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. +If you enable this policy setting, Open Extended Dictionary is turned off. You can't add a new Open Extended Dictionary. -For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. +For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting isn't used for conversion. -If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. +If you disable or don't configure this policy setting, Open Extended Dictionary can be added and used by default. This policy setting is applied to Japanese Microsoft IME. @@ -416,9 +416,9 @@ ADMX Info: This policy setting allows you to turn off saving the auto-tuning result to file. -If you enable this policy setting, the auto-tuning data is not saved to file. +If you enable this policy setting, the auto-tuning data isn't saved to file. -If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. +If you disable or don't configure this policy setting, auto-tuning data is saved to file by default. This policy setting applies to Japanese Microsoft IME only. @@ -666,7 +666,7 @@ This policy setting allows you to turn on logging of misconversion for the misco If you enable this policy setting, misconversion logging is turned on. -If you disable or do not configure this policy setting, misconversion logging is turned off. +If you disable or don't configure this policy setting, misconversion logging is turned off. This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 6ac5c0d97c..2ab763817c 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -80,7 +80,7 @@ This policy setting allows you to configure a list of Enhanced Storage devices b If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. -If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. +If you disable or don't configure this policy setting, all Enhanced Storage devices are usable on your computer. @@ -125,7 +125,7 @@ This policy setting allows you to create a list of IEEE 1667 silos, compliant wi If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. -If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. +If you disable or don't configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. @@ -168,9 +168,9 @@ ADMX Info: This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. -If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. +If you enable this policy setting, a password can't be used to unlock an Enhanced Storage device. -If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. +If you disable or don't configure this policy setting, a password can be used to unlock an Enhanced Storage device. @@ -213,9 +213,9 @@ ADMX Info: This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. -If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. +If you enable this policy setting, non-Enhanced Storage removable devices aren't allowed on your computer. -If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. +If you disable or don't configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. @@ -262,7 +262,7 @@ This policy setting is supported in Windows Server SKUs only. If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. -If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. +If you disable or don't configure this policy setting, the Enhanced Storage device state isn't changed when the computer is locked. @@ -307,7 +307,7 @@ This policy setting configures whether or not only USB root hub connected Enhanc If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. -If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. +If you disable or don't configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index cb39601404..7e72497d05 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -151,7 +151,7 @@ If you enable this policy setting, you can instruct Windows Error Reporting in t If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. -If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. +If you disable or don't configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. @@ -198,11 +198,11 @@ ADMX Info: This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. -If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. +If you disable or don't configure this policy setting, the Default application reporting settings policy setting takes precedence. @@ -245,13 +245,13 @@ ADMX Info: This policy setting specifies applications for which Windows Error Reporting should always report errors. -To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) -If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. +If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence. Also see the "Default Application Reporting" and "Application Exclusion List" policies. @@ -299,26 +299,26 @@ ADMX Info: This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. -This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. +This policy setting doesn't enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. > [!IMPORTANT] -> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. +> If the Turn off Windows Error Reporting policy setting isn't configured, then Control Panel settings for Windows Error Reporting override this policy setting. -If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: +If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that aren't configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: -- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. +- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you don't want error dialog boxes to display links to Microsoft websites. -- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports. +- "Do not collect additional files": Select this option if you don't want extra files to be collected and included in error reports. -- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports. +- "Do not collect additional computer data": Select this option if you don't want additional information about the computer to be collected and included in error reports. -- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. +- "Force queue mode for application errors": Select this option if you don't want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to sign in to the computer can send the error reports to Microsoft. -- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. +- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to sign in to the computer can send the error reports to Microsoft. - "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. -If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. +If you don't configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. If you disable this policy setting, configuration settings in the policy setting are left blank. @@ -367,9 +367,9 @@ This policy setting controls whether errors in the operating system are included If you enable this policy setting, Windows Error Reporting includes operating system errors. -If you disable this policy setting, operating system errors are not included in error reports. +If you disable this policy setting, operating system errors aren't included in error reports. -If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. +If you don't configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. See also the Configure Error Reporting policy setting. @@ -416,7 +416,7 @@ This policy setting controls the behavior of the Windows Error Reporting archive If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. -If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. +If you disable or don't configure this policy setting, no Windows Error Reporting information is stored. @@ -461,7 +461,7 @@ This policy setting controls the behavior of the Windows Error Reporting archive If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. -If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. +If you disable or don't configure this policy setting, no Windows Error Reporting information is stored. @@ -502,9 +502,9 @@ ADMX Info: -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps. -If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. +If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. @@ -547,9 +547,9 @@ ADMX Info: -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps. -If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. +If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. @@ -590,11 +590,11 @@ ADMX Info: -This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server. -If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. +If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report. -If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. +If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types. @@ -635,11 +635,11 @@ ADMX Info: -This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server. -If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. +If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report. -If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. +If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types. @@ -682,9 +682,9 @@ ADMX Info: This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. -If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. +If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted. -If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. +If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed. @@ -727,9 +727,9 @@ ADMX Info: This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. -If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. +If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted. -If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. +If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed. @@ -770,11 +770,11 @@ ADMX Info: -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source. -If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. +If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. -If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. +If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source. @@ -815,11 +815,11 @@ ADMX Info: -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source. -If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. +If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. -If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. +If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source. @@ -860,11 +860,11 @@ ADMX Info: -This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). +This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you don't want to send error reports to Microsoft). If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. -If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. +If you disable or don't configure this policy setting, Windows Error Reporting sends error reports to Microsoft. @@ -907,19 +907,19 @@ ADMX Info: This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those types meant for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - 1 (Always ask before sending data): Windows prompts the user for consent to send reports. -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send more data requested by Microsoft. -- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. +- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send more data requested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. +If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. @@ -964,7 +964,7 @@ This policy setting determines the behavior of the Configure Default Consent set If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. -If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. +If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. @@ -1009,7 +1009,7 @@ This policy setting determines the behavior of the Configure Default Consent set If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. -If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. +If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. @@ -1056,9 +1056,9 @@ If you enable this policy setting, you can set the default consent handling for - Always ask before sending data: Windows prompts users for consent to send reports. -- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. -- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. +- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. - Send all data: any error reporting data requested by Microsoft is sent automatically. @@ -1109,9 +1109,9 @@ If you enable this policy setting, you can set the default consent handling for - Always ask before sending data: Windows prompts users for consent to send reports. -- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. -- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. +- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. - Send all data: any error reporting data requested by Microsoft is sent automatically. @@ -1156,11 +1156,11 @@ ADMX Info: -This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. +This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. +If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. +If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. @@ -1205,7 +1205,7 @@ This policy setting limits Windows Error Reporting behavior for errors in genera If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. -If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. +If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default. @@ -1251,7 +1251,7 @@ This policy setting limits Windows Error Reporting behavior for errors in genera If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. -If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. +If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default. @@ -1294,9 +1294,9 @@ ADMX Info: This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. -If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. +If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log. -If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. +If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. @@ -1339,9 +1339,9 @@ ADMX Info: This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. -If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. +If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log. -If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. +If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. @@ -1382,11 +1382,11 @@ ADMX Info: -This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. +This policy setting controls whether more data in support of error reports can be sent to Microsoft automatically. -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. +If you enable this policy setting, any extra-data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. @@ -1433,7 +1433,7 @@ If you enable this policy setting, you can configure report queue behavior by us The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. -If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. +If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs. @@ -1480,7 +1480,7 @@ If you enable this policy setting, you can configure report queue behavior by us The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. -If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. +If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs. diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index becd6119b7..ffd209aa8f 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -67,9 +67,9 @@ manager: dansimp This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. -If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. +If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This volume-control may be required in high-volume environments. -If you disable or do not configure this policy setting, forwarder resource usage is not specified. +If you disable or don't configure this policy setting, forwarder resource usage isn't specified. This setting applies across all subscriptions for the forwarder (source computer). @@ -128,7 +128,7 @@ Server=https://
-## Bitlocker policies +## BitLocker policies
-
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 81ec70c880..7b7b384396 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -78,7 +78,7 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT
-This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
+This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. This policy is based on the 24-hour clock.
Value type is integer. Default value is 17 (5 PM).
@@ -88,10 +88,10 @@ You can specify a limit to use during a specific time interval and at all other
Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
-If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+If you disable or don't configure this policy setting, BITS uses all available unused bandwidth.
> [!NOTE]
-> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -144,7 +144,7 @@ ADMX Info:
-This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
+This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. This policy is based on the 24-hour clock.
Value type is integer. Default value is 8 (8 am).
@@ -152,12 +152,12 @@ Supported value range: 0 - 23
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
-Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
+BITS, by using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
-If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+If you disable or don't configure this policy setting, BITS uses all available unused bandwidth.
> [!NOTE]
-> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -210,7 +210,7 @@ ADMX Info:
-This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers.
+This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers.
Value type is integer. Default value is 1000.
@@ -218,12 +218,12 @@ Supported value range: 0 - 4294967200
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
-Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
+BITS, by using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
-If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+If you disable or don't configure this policy setting, BITS uses all available unused bandwidth.
> [!NOTE]
-> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -278,7 +278,7 @@ ADMX Info:
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers.
-If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
+If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting doesn't override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
- 1 - Always transfer
@@ -338,7 +338,7 @@ ADMX Info:
This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers.
-If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
+If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting doesn't override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
- 1 - Always transfer
@@ -406,9 +406,9 @@ Value type is integer. Default is 90 days.
Supported values range: 0 - 999
Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs.
-Consider decreasing this value if you are concerned about orphaned jobs occupying disk space.
+Consider decreasing this value if you're concerned about orphaned jobs occupying disk space.
-If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
+If you disable or don't configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 025122b10d..a27b8b0f61 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -75,7 +75,7 @@ manager: dansimp
Specifies whether the device can send out Bluetooth advertisements.
-If this is not set or it is deleted, the default value of 1 (Allow) is used.
+If this policy isn't set or is deleted, the default value of 1 (Allow) is used.
Most restricted value is 0.
@@ -83,7 +83,7 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
+- 0 – Not allowed. When set to 0, the device won't send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement isn't received by the peripheral.
- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
@@ -120,7 +120,7 @@ The following list shows the supported values:
Specifies whether other Bluetooth-enabled devices can discover the device.
-If this is not set or it is deleted, the default value of 1 (Allow) is used.
+If this policy isn't set or is deleted, the default value of 1 (Allow) is used.
Most restricted value is 0.
@@ -128,7 +128,7 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
+- 0 – Not allowed. When set to 0, other devices won't be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you can't see the name of the device.
- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
@@ -247,9 +247,9 @@ The following list shows the supported values:
Sets the local Bluetooth device name.
-If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
+If this name is set, the value that it's set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
-If this policy is not set or it is deleted, the default local radio name is used.
+If this policy isn't set or is deleted, the default local radio name is used.
@@ -327,7 +327,7 @@ The following list shows the supported values:
- 0 (default) - All Bluetooth traffic is allowed.
- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
-For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1.
+For more information on allowed key sizes, see Bluetooth Core Specification v5.1.
@@ -346,7 +346,7 @@ For more information on allowed key sizes, refer to Bluetooth Core Specification
## ServicesAllowedList usage guide
-When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
+When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It's an allowed list, enabling admins to still allow custom Bluetooth profiles that aren't defined by the Bluetooth Special Interests Group (SIG).
- Disabling a service shall block incoming and outgoing connections for such services
- Disabling a service shall not publish an SDP record containing the service being blocked
@@ -381,7 +381,7 @@ Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-000
|Headset Service Class|For older voice-enabled headsets|0x1108|
|PnP Information|Used to identify devices occasionally|0x1200|
-This means that if you only want Bluetooth headsets, the UUIDs to include are:
+If you only want Bluetooth headsets, the UUIDs to include are:
{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index cbf9ef190b..97bb3385de 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -304,7 +304,7 @@ To verify AllowAutofill is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+3. Click **Settings** in the dropdown list, and select **View Advanced Settings**.
4. Verify the setting **Save form entries** is grayed out.
@@ -418,7 +418,7 @@ To verify AllowCookies is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+3. Click **Settings** in the dropdown list, and select **View Advanced Settings**.
4. Verify the setting **Cookies** is disabled.
@@ -520,7 +520,7 @@ ADMX Info:
Supported values:
-- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit.
+- Blank (default) - Don't send tracking information but let users choose to send tracking information to sites they visit.
- 0 - Never send tracking information.
- 1 - Send tracking information.
@@ -531,7 +531,7 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+3. Click **Settings** in the dropdown list, and select **View Advanced Settings**.
4. Verify the setting **Send Do Not Track requests** is grayed out.
@@ -689,7 +689,7 @@ ADMX Info:
Supported values:
- 0 – Load and run Adobe Flash content automatically.
-- 1 (default) – Does not load or run Adobe Flash content automatically. Requires action from the user.
+- 1 (default) – Doesn't load or run Adobe Flash content automatically. Requires action from the user.
Most restricted value: 1
@@ -981,7 +981,7 @@ Most restricted value: 1
To verify AllowPopups is set to 0 (not allowed):
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2. Verify the setting **Block pop-ups** is disabled.
+2. Verify whether the setting **Block pop-ups** is disabled.
@@ -1324,7 +1324,7 @@ ADMX Info:
Supported values:
-- 0 - Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
+- 0 - Prevented/not allowed. Disabling doesn't prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this sideloading, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
- 1 (default) - Allowed.
Most restricted value: 0
@@ -1383,7 +1383,7 @@ ADMX Info:
Supported values:
- Blank - Users can choose to use Windows Defender SmartScreen.
-- 0 – Turned off. Do not protect users from potential threats and prevent users from turning it on.
+- 0 – Turned off. Don't protect users from potential threats and prevent users from turning it on.
- 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off.
Most restricted value: 1
@@ -1624,12 +1624,12 @@ Most restricted value: 1
-To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
+To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
1. Open Microsoft Edge and browse to websites.
2. Close the Microsoft Edge window.
3. Open Microsoft Edge and start typing the same URL in address bar.
-4. Verify that it does not auto-complete from history.
+4. Verify that it doesn't auto-complete from history.
@@ -1686,7 +1686,7 @@ ADMX Info:
Supported values:
- 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.
If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. -- 1 – Allowed. Add up to five additional search engines and set any one of them as the default.
For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). +- 1 – Allowed. Add up to five more search engines and set any one of them as the default.
For each search engine added, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Most restricted value: 0 @@ -1871,7 +1871,7 @@ Supported values: - If it’s one of many apps, Microsoft Edge runs as normal. **1**: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you don't configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -2113,7 +2113,7 @@ Most restricted value: 0 [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../includes/disable-lockdown-of-start-pages-shortdesc.md)] > [!NOTE] -> This policy has no effect when the Browser/HomePages policy is not configured. +> This policy has no effect when the Browser/HomePages policy isn't configured. > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). @@ -2235,7 +2235,7 @@ ADMX Info: Supported values: -- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. +- 0 (default) - Turned off. Microsoft Edge doesn't check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. - 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.
For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). @@ -2312,13 +2312,13 @@ Supported values: [!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] **Version 1607**
-Starting with this version, the HomePages policy enforces that users cannot change the Start pages settings. +From this version, the HomePages policy enforces that users can't change the Start pages settings. **Version 1703**
If you don't want to send traffic to Microsoft, use the \
-When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. +When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages you want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. > [!NOTE] @@ -2763,7 +2763,7 @@ Supported values: - Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. -- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:_Microsoft.OneNoteWebClipper8wekyb3d8bbwe_
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. +- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:
_Microsoft.OneNoteWebClipper8wekyb3d8bbwe_
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list doesn't uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy doesn't prevent users from debugging and altering the logic on an extension. @@ -2933,7 +2933,7 @@ ADMX Info: Supported values: - 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. -- 1 - Only intranet sites open in Internet Explorer 11 automatically.
Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**. - Refresh the policy and then view the affected sites in Microsoft Edge.
A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**. - Refresh the policy and then view the affected sites in Microsoft Edge.
A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it isn't yet running, or in a new tab.
Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.
If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.
If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. +- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users can't change the default search engine.
Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.
If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.
If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. Most restricted value: 1 @@ -3160,9 +3160,9 @@ ADMX Info: Supported values: -- 0 (default) – No additional message displays. -- 1 – Show an additional message stating that a site has opened in IE11. -- 2 - Show an additional message with a "Keep going in Microsoft Edge" link. +- 0 (default) – No other message displays. +- 1 – Show another message stating that a site has opened in IE11. +- 2 - Show another message with a "Keep going in Microsoft Edge" link. Most restricted value: 0 @@ -3198,8 +3198,8 @@ Most restricted value: 0 -This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls. -By default, a notification will be presented to the user informing them of this upon application startup. +This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls. +By default, a notification will be presented to the user informing them of this update upon application startup. With this policy, you can either allow (default) or suppress this notification. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index a88970a383..48876d706e 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -82,11 +82,11 @@ You can specify either a default setting for all apps or a per-app setting by sp If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. -If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it. +If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization can't change it. -If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it. +If you choose the "Force Deny" option, Windows apps aren't allowed to access cellular data and employees in your organization can't change it. -If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. +If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” @@ -271,7 +271,7 @@ ADMX Info: This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. -If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. +If this policy setting is disabled or isn't configured, the link to the per-application cellular access control page is shown by default. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index a4eb170e5c..d5df4315c1 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -105,9 +105,9 @@ manager: dansimp Allows the user to enable Bluetooth or restrict access. > [!NOTE] -> This value is not supported in Windows 10. +> This value isn't supported in Windows 10. -If this is not set or it is deleted, the default value of 2 (Allow) is used. +If this policy isn't set or is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. @@ -115,9 +115,9 @@ Most restricted value is 0. The following list shows the supported values: -- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on. -- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. -- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. +- 0 – Disallow Bluetooth. If the value is set to 0, the radio in the Bluetooth control panel will be grayed out and the user won't be able to turn on Bluetooth. +- 1 – Reserved. If the value is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth. +- 2 (default) – Allow Bluetooth. If the value is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth. @@ -151,15 +151,15 @@ The following list shows the supported values: -Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. +Allows the cellular data channel on the device. Device reboot isn't required to enforce the policy. The following list shows the supported values: -- 0 – Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511. +- 0 – Don't allow the cellular data channel. The user can't turn it on. This value isn't supported in Windows 10, version 1511. - 1 (default) – Allow the cellular data channel. The user can turn it off. -- 2 - Allow the cellular data channel. The user cannot turn it off. +- 2 - Allow the cellular data channel. The user can't turn it off. @@ -193,7 +193,7 @@ The following list shows the supported values: -Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. +Allows or disallows cellular data roaming on the device. Device reboot isn't required to enforce the policy. Most restricted value is 0. @@ -209,15 +209,15 @@ ADMX Info: The following list shows the supported values: -- 0 – Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. +- 0 – Don't allow cellular data roaming. The user can't turn it on. This value isn't supported in Windows 10, version 1511. - 1 (default) – Allow cellular data roaming. -- 2 - Allow cellular data roaming on. The user cannot turn it off. +- 2 - Allow cellular data roaming on. The user can't turn it off. To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. -To validate on devices, do the following: +To validate on devices, perform the following steps: 1. Go to Cellular & SIM. 2. Click on the SIM (next to the signal strength icon) and select **Properties**. @@ -301,8 +301,8 @@ The following list shows the supported values: This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. -If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device isn't allowed to be linked to phones, will remove itself from the device list of any linked Phones, and can't participate in 'Continue on PC experiences'. +If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -314,14 +314,14 @@ ADMX Info: This setting supports a range of values between 0 and 1. -- 0 - Do not link +- 0 - Don't link - 1 (default) - Allow phone-PC linking Validation: -If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number. +If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it won't launch the window for a user to enter their phone number. Device that has previously opt-in to MMX will also stop showing on the device list. @@ -360,7 +360,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li > [!NOTE] > Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. -Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. +Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy doesn't affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. @@ -413,7 +413,7 @@ Most restricted value is 0. The following list shows the supported values: -- 0 – VPN is not allowed over cellular. +- 0 – VPN isn't allowed over cellular. - 1 (default) – VPN can use any connection, including cellular. @@ -493,13 +493,13 @@ The following list shows the supported values: This policy setting specifies whether to allow printing over HTTP from this client. -Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. +Printing over HTTP allows a client to print to printers on the intranet and the Internet. -Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. +Note: This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. -If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. +If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. @@ -549,11 +549,11 @@ This policy setting specifies whether to allow this client to download print dri To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. -Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. +Note: This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that aren't already installed locally. -If you enable this policy setting, print drivers cannot be downloaded over HTTP. +If you enable this policy setting, print drivers can't be downloaded over HTTP. -If you disable or do not configure this policy setting, users can download print drivers over HTTP. +If you disable or don't configure this policy setting, users can download print drivers over HTTP. @@ -601,11 +601,11 @@ This policy setting specifies whether Windows should download a list of provider These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. -If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. +If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed. -If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. +If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards. -See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. +For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards. @@ -695,7 +695,7 @@ ADMX Info: This policy setting configures secure access to UNC paths. -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. +If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling other security requirements. @@ -741,11 +741,11 @@ ADMX Info: Determines whether a user can install and configure the Network Bridge. -Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. +Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder. -If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. +If you disable this setting or don't configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting doesn't remove an existing Network Bridge from the user's computer. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 12fbbf04b0..e66ffbee8b 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -71,9 +71,9 @@ The following list shows the supported values: - 0 (default) - 1 - The MDM policy is used and the GP policy is blocked. -The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: +The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the first set of the policy. This activation ensures that: -- GP settings that correspond to MDM applied settings are not conflicting +- GP settings that correspond to MDM applied settings aren't conflicting - The current Policy Manager policies are refreshed from what MDM has set - Any values set by scripts/user outside of GP that conflict with MDM are removed diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 87b03eb667..da8c5cd222 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -65,11 +65,11 @@ manager: dansimp Remote host allows delegation of non-exportable credentials -When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. +When credential delegation is being used, devices provide an exportable version of credentials to the remote host. This version exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. -If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. +If you disable or don't configure this policy setting, Restricted Administration and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 2b0be6c478..f242322253 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -68,9 +68,9 @@ manager: dansimp This policy setting allows you to configure the display of the password reveal button in password entry user experiences. -If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. +If you enable this policy setting, the password reveal button won't be displayed after a user types a password in the password entry text box. -If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. +If you disable or don't configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. @@ -118,7 +118,7 @@ ADMX Info: -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. +This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts aren't displayed when the user attempts to elevate a running application. If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 4e05320c00..7a37cafe94 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -610,7 +610,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop. -Allows or disallows Windows Defender Realtime Monitoring functionality. +Allows or disallows Windows Defender real-time Monitoring functionality. @@ -761,7 +761,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop. -Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. +Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. @@ -863,7 +863,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. +This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (Azure Site Recovery) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). @@ -966,11 +966,11 @@ Valid values: 0–100 This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. -This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. +This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. If you enable this setting, a check for new definitions will occur before running a scan. -If you disable this setting or do not configure this setting, the scan will start using the existing definitions. +If you disable this setting or don't configure this setting, the scan will start using the existing definitions. Supported values: @@ -1057,7 +1057,7 @@ The following list shows the supported values: - 0x0 - Default windows defender blocking level - 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives) -- 0x4 - High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance) +- 0x4 - High+ blocking level – aggressively block unknowns and apply more protection measures (may impact client performance) - 0x6 - Zero tolerance blocking level – block all unknown executables @@ -1097,7 +1097,7 @@ The following list shows the supported values: This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. -The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. +The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. @@ -1148,7 +1148,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it won't be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1194,7 +1194,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +This policy setting allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can't be changed. Value type is string. Use the | as the substring separator. @@ -1244,7 +1244,7 @@ ADMX Info: Time period (in days) that quarantine items will be stored on the system. -The default value is 0, which keeps items in quarantine, and does not automatically remove them. +The default value is 0, which keeps items in quarantine, and doesn't automatically remove them. @@ -1293,9 +1293,9 @@ Valid values: 0–90 This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. +If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off. Supported values: @@ -1356,9 +1356,9 @@ ADMX Info: This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. +If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned off. Supported values: @@ -1475,7 +1475,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. +If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans. Supported values: @@ -1535,13 +1535,13 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. +This policy allows you to turn on network protection (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This protection includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. -If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. -If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center. -If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center. -If you do not configure this policy, network blocking will be disabled by default. +If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You'll be able to see this activity in Windows Defender Security Center. +If you enable this policy with the ""Audit"" option, users/apps won't be blocked from connecting to dangerous domains. However, you'll still see this activity in Windows Defender Security Center. +If you disable this policy, users/apps won't be blocked from connecting to dangerous domains. You'll not see any network activity in Windows Defender Security Center. +If you don't configure this policy, network blocking will be disabled by default. @@ -1761,8 +1761,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications. -- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. +- 0 (default) – PUA Protection off. Windows Defender won't protect against potentially unwanted applications. +- 1 – PUA Protection on. Detected items are blocked. They'll show in history along with other threats. - 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. @@ -2095,7 +2095,7 @@ Valid values: 0–1380. This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or do not configure this setting, security intelligence will be referred from the default local source. +If you disable or don't configure this setting, security intelligence will be referred from the default local source. @@ -2155,9 +2155,9 @@ Possible values are: For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC -If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. +If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. -If you disable or do not configure this setting, definition update sources will be contacted in a default order. +If you disable or don't configure this setting, definition update sources will be contacted in a default order. OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder @@ -2217,9 +2217,9 @@ For example: \\unc1\Signatures | \\unc2\Signatures The list is empty by default. -If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. +If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. -If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. +If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted. OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 43ad826d3d..ba4c441b84 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -204,7 +204,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. -Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This policy means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. @@ -310,7 +310,7 @@ ADMX Info: -This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +This policy allows you to configure one or more Delivery Optimizations in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. @@ -374,7 +374,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. -After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600). +After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from peers. A download that is waiting for peer sources will appear to be stuck for the end user. The recommended value is 1 hour (3600). @@ -529,9 +529,9 @@ Supported values: 0 - one month (in seconds) This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. +After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. -Note that a download that is waiting for peer sources, will appear to be stuck for the end user. +A download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 minute (60). @@ -550,7 +550,7 @@ The following list shows the supported values as number of seconds: - 0 to 86400 (1 day) - 0 - managed by the cloud service -- Default is not configured. +- Default isn't configured. @@ -607,8 +607,8 @@ The following list shows the supported values: - 1 (default) – HTTP blended with peering behind the same NAT. - 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 – HTTP blended with Internet peering. -- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release. +- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. +- 100 - Bypass mode. Don't use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. This value is deprecated and will be removed in a future release. @@ -645,7 +645,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. -This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity. +This policy specifies an arbitrary group ID that the device belongs to. Use this ID if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. This approach is a best effort optimization and shouldn't be relied on for an authentication of identity. > [!NOTE] > You must use a GUID as the group ID. @@ -701,7 +701,7 @@ The options set in this policy only apply to Group (2) download mode. If Group ( For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. -Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this task, set the value of DOGroupIdSource to 5. @@ -802,7 +802,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. -Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. +Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 259200 seconds (3 days). @@ -947,7 +947,7 @@ ADMX Info: -This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which is not used in commercial deployments. There is no alternate policy to use. +This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which isn't used in commercial deployments. There's no alternate policy to use. @@ -1332,7 +1332,7 @@ ADMX Info: Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. -Note that downloads from LAN peers will not be throttled even when this policy is set. +Downloads from LAN peers won't be throttled even when this policy is set. @@ -1390,12 +1390,12 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. -Note that downloads from LAN peers will not be throttled even when this policy is set. +Downloads from LAN peers won't be throttled even when this policy is set. ADMX Info: -- GP Friendly namee: *Maximum Foreground Download Bandwidth (percentage)* +- GP Friendly name: *Maximum Foreground Download Bandwidth (percentage)* - GP name: *PercentageMaxForegroundBandwidth* - GP element: *PercentageMaxForegroundBandwidth* - GP path: *Windows Components/Delivery Optimization* @@ -1499,7 +1499,7 @@ ADMX Info: -This policy allows an IT Admin to define the following: +This policy allows an IT Admin to define the following details: - Business hours range (for example 06:00 to 18:00) - % of throttle for background traffic during business hours @@ -1551,7 +1551,7 @@ ADMX Info: -This policy allows an IT Admin to define the following: +This policy allows an IT Admin to define the following details: - Business hours range (for example 06:00 to 18:00) - % of throttle for foreground traffic during business hours diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 94bb5c7ab0..7a2f5f914a 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -63,14 +63,14 @@ manager: dansimp -DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service which requires it. +DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it. The following list shows the supported values: -- 1 — The DeviceHealthMonitoring connection is enabled. -- 0 (default) — The DeviceHealthMonitoring connection is disabled. +- 1—The DeviceHealthMonitoring connection is enabled. +- 0 (default)—The DeviceHealthMonitoring connection is disabled. @@ -112,7 +112,7 @@ The following list shows the supported values: This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. -IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. +IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. @@ -158,7 +158,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios. -In most cases, an IT Pro does not need to define this policy. Instead, it is expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service. +In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 5f1a7bd17d..0cc81579bc 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -96,15 +96,15 @@ When this policy setting is enabled together with the "Apply layered order of ev - Prevent installation of devices that match these device IDs - Prevent installation of devices that match any of these device instance IDs -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -146,7 +146,7 @@ To enable this policy, use the following SyncML. This example allows Windows to ``` -To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -197,16 +197,16 @@ This policy setting allows you to specify a list of Plug and Play device instanc When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: - Prevent installation of devices that match any of these device instance IDs -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -246,7 +246,7 @@ To enable this policy, use the following SyncML. ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ``` txt >>> [Device Installation Restrictions Policy Check] >>> Section start 2018/11/15 12:26:41.659 @@ -299,16 +299,16 @@ When this policy setting is enabled together with the "Apply layered order of ev - Prevent installation of devices that match these device IDs - Prevent installation of devices that match any of these device instance IDs -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -355,7 +355,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -421,7 +421,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices > [!NOTE] > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. -If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. +If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. @@ -457,7 +457,7 @@ ADMX Info: ``` -To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -468,7 +468,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and ``` You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. -:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image."::: +:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image."::: @@ -506,9 +506,9 @@ You can also change the evaluation order of device installation policy settings This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. -If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). +If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). -If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. +If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. @@ -561,14 +561,14 @@ ADMX Info: -This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. +This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting. > [!NOTE] -> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. +> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. -If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. +If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. -If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. +If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. @@ -585,7 +585,7 @@ ADMX Info: -To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting. +To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting. ```xml @@ -607,7 +607,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -661,7 +661,7 @@ This policy setting allows you to specify a list of Plug and Play hardware IDs a If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -703,7 +703,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -756,7 +756,7 @@ This policy setting allows you to specify a list of Plug and Play device instanc If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -795,7 +795,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ``` txt >>> [Device Installation Restrictions Policy Check] @@ -819,7 +819,7 @@ Replace with ```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` > [!Note] - > Do not use spaces in the value. + > don't use spaces in the value. 3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. @@ -864,7 +864,7 @@ This policy setting allows you to specify a list of device setup class globally If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -911,7 +911,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 2168317903..750efe50ed 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -152,7 +152,7 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th > This policy must be wrapped in an Atomic command. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -377,16 +377,16 @@ Specifies when the password expires (in days). -If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. +If all policy values = 0, then 0; otherwise, Min policy value is the most secure value. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). The following list shows the supported values: - An integer X where 0 <= X <= 730. -- 0 (default) - Passwords do not expire. +- 0 (default) - Passwords don't expire. @@ -425,11 +425,11 @@ Specifies how many passwords can be stored in the history that can’t be used. > [!NOTE] > This policy must be wrapped in an Atomic command. -The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. +The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords. Max policy value is the most restricted. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -470,7 +470,7 @@ The following list shows the supported values: -Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. +Specifies the default lock screen and sign-in image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and sign-in screens. Users won't be able to change this image. > [!NOTE] > This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. @@ -516,14 +516,14 @@ The number of authentication failures allowed before the device will be wiped. A > This policy must be wrapped in an Atomic command. -On a client device, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. +On a client device, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -573,7 +573,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -651,9 +651,9 @@ Enforced values for Local and Microsoft Accounts: - Base 10 digits (0 through 9) - Special characters (!, $, \#, %, etc.) -The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. +The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). @@ -698,7 +698,7 @@ Specifies the minimum number or characters required in the PIN or password. Max policy value is the most restricted. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). @@ -767,7 +767,7 @@ This security setting determines the period of time (in days) that a password mu The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. +Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default. @@ -811,7 +811,7 @@ Disables the lock screen camera toggle switch in PC Settings and prevents a came By default, users can enable invocation of an available camera on the lock screen. -If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen. +If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 5fcf63a361..f3f60dd44f 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -113,19 +113,19 @@ ADMX Info: -Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows. +Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows. -When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows. +When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows. -Be aware of the following: +Be aware of the following points: -Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors. +Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display having the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors. -Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays. +Per Process System DPI won't work for all applications as some older desktop applications will always be blurry on high DPI displays. In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled. -Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or do not configure this setting. Per Process System DPI will not apply to any processes on the system. +Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system. @@ -218,13 +218,13 @@ ADMX Info: -GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. +GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware. This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. -If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. +If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they're enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. -If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. +If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. @@ -239,7 +239,7 @@ ADMX Info: -To validate on Desktop, do the following: +To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. @@ -276,13 +276,13 @@ To validate on Desktop, do the following: -GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. +GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware. This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. -If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. +If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. @@ -297,7 +297,7 @@ ADMX Info: -To validate on Desktop, do the following: +To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which uses GDI. 2. Run the app and observe crisp text. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 336c23a5cb..1258127e5e 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,6 +1,6 @@ --- title: Policy CSP - DmaGuard -description: Learn how to use the Policy CSP - DmaGuard setting to provide additional security against external DMA capable devices. +description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -56,11 +56,11 @@ manager: dansimp -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. +This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. -Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. +Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. -This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. +This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. > [!NOTE] > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 4bd0742e0b..f846573eda 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Education -description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -65,7 +65,7 @@ manager: dansimp -This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality. ADMX Info: @@ -147,7 +147,7 @@ The policy value is expected to be the name (network host name) of an installed -Allows IT Admins to prevent user installation of additional printers from the printers settings. +Allows IT Admins to prevent user installation of more printers from the printers settings. diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 4e5f16f246..37d4c94e64 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -75,19 +75,19 @@ manager: dansimp This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those even types for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - 1 (Always ask before sending data): Windows prompts the user for consent to send reports. -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any extra data requested by Microsoft. -- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. +- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send any extra data requested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. +If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. @@ -129,11 +129,11 @@ ADMX Info: -This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. +This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. +If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. +If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. @@ -179,9 +179,9 @@ This policy setting controls whether users are shown an error dialog box that le If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. -If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. +If you disable this policy setting, users aren't notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that don't have interactive users. -If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. +If you don't configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. See also the Configure Error Reporting policy setting. @@ -225,11 +225,11 @@ ADMX Info: -This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. +This policy setting controls whether extra data in support of error reports can be sent to Microsoft automatically. -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. +If you enable this policy setting, any extra data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. @@ -273,9 +273,9 @@ ADMX Info: This policy setting prevents the display of the user interface for critical errors. -If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. +If you enable this policy setting, Windows Error Reporting doesn't display any GUI-based error messages or dialog boxes for critical errors. -If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. +If you disable or don't configure this policy setting, Windows Error Reporting displays the user interface for critical errors. diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 9e1e22c296..ced6ab68a9 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,6 +1,6 @@ --- title: Policy CSP - EventLogService -description: Learn how to use the Policy CSP - EventLogService settting to control Event Log behavior when the log file reaches its maximum size. +description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -67,9 +67,9 @@ manager: dansimp This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. +If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -115,9 +115,9 @@ ADMX Info: This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. @@ -161,9 +161,9 @@ ADMX Info: This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. @@ -207,9 +207,9 @@ ADMX Info: This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index cb785576ec..b115b5df8c 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -155,7 +155,7 @@ ADMX Info: 1. Configure Experiences/AllowClipboardHistory to 0. 1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. 1. Press Win+V to open the clipboard history UI. -1. You should not see any clipboard item including current item you copied. +1. You shouldn't see any clipboard item including current item you copied. 1. The setting under Settings App->System->Clipboard should be grayed out with policy warning. @@ -241,7 +241,7 @@ The following list shows the supported values: Allows users to turn on/off device discovery UX. -When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. +When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys won't work on. Most restricted value is 0. @@ -287,7 +287,7 @@ This policy turns on Find My Device. When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. -When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device. +When Find My Device is off, the device and its location aren't registered and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device. @@ -335,7 +335,7 @@ The following list shows the supported values: -Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect. +Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. @@ -398,7 +398,7 @@ This policy is deprecated. -Describe what value are supported in by this policy and meaning of each value is default value. +Describe what values are supported in by this policy and meaning of each value is default value. @@ -443,7 +443,7 @@ This policy is deprecated. -Describes what value are supported in by this policy and meaning of each value is default value. +Describes what values are supported in by this policy and meaning of each value is default value. @@ -482,7 +482,7 @@ Allows or disallows all Windows sync settings on the device. For information abo The following list shows the supported values: -- 0 – Sync settings are not allowed. +- 0 – Sync settings aren't allowed. - 1 (default) – Sync settings allowed. @@ -517,12 +517,12 @@ The following list shows the supported values: -This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. +This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows won't use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or don't configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. > [!NOTE] -> This setting does not control Cortana cutomized experiences because there are separate policies to configure it. +> This setting doesn't control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. @@ -682,7 +682,7 @@ The following list shows the supported values: > This policy is only available for Windows 10 Enterprise and Windows 10 Education. -Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. +Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. @@ -733,7 +733,7 @@ The following list shows the supported values: -This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. +This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or don't configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. @@ -837,7 +837,7 @@ The following list shows the supported values: This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. -The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. +The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. @@ -942,7 +942,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not - 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition. - 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings. - 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings. -- 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings. +- 3 - Disabled: The Chat icon won't be displayed, and users can't show or hide it in Settings. > [!NOTE] > Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts. @@ -982,7 +982,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not > This policy is only available for Windows 10 Enterprise and Windows 10 Education. -Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. +Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. @@ -1033,7 +1033,7 @@ This policy setting lets you turn off cloud optimized content in all Windows exp If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content. -If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content. +If you disable or don't configure this policy setting, Windows experiences will be able to use cloud optimized content. @@ -1083,9 +1083,9 @@ The following list shows the supported values: Prevents devices from showing feedback questions from Microsoft. -If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. +If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or don't configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. -If you disable or do not configure this policy setting, users can control how often they receive feedback questions. +If you disable or don't configure this policy setting, users can control how often they receive feedback questions. @@ -1099,7 +1099,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. +- 0 (default) – Feedback notifications aren't disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. - 1 – Feedback notifications are disabled. @@ -1151,7 +1151,7 @@ ADMX Info: Supported values: - 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes. -- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. +- 2 - Prevented/turned off. The "browser" group doesn't use the _Sync your Settings_ option. _**Sync the browser settings automatically**_ @@ -1291,7 +1291,7 @@ If you enable this policy setting, the lock option is shown in the User Tile men If you disable this policy setting, the lock option is never shown in the User Tile menu. -If you do not configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel. +If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel. @@ -1304,7 +1304,7 @@ ADMX Info: Supported values: -- false - The lock option is not displayed in the User Tile menu. +- false - The lock option isn't displayed in the User Tile menu. - true (default) - The lock option is displayed in the User Tile menu. diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 4c736050b2..c2b205ad92 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -58,11 +58,11 @@ manager: dansimp This policy allows an enterprise to configure the default mode for the handwriting panel. -The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. +The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. -In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction. +In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction. -The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way. +The docked mode is especially useful in Kiosk mode where you don't expect the end-user to drag the flying-in panel out of the way. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 95b4864abc..f8ed8cecde 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -85,9 +85,9 @@ manager: dansimp This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. +If you enable this policy setting, the Kerberos client searches the forests in this list, if it's unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. +If you disable or don't configure this policy setting, the Kerberos client doesn't search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name isn't found, NTLM authentication might be used. @@ -129,11 +129,11 @@ ADMX Info: -This policy allows retrieving the cloud Kerberos ticket during the logon. +This policy allows retrieving the cloud Kerberos ticket during the sign in. -- If you disable (0) or do not configure this policy setting, the cloud Kerberos ticket is not retrieved during the logon. +- If you disable (0) or don't configure this policy setting, the cloud Kerberos ticket isn't retrieved during the sign in. -- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the logon. +- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the sign in. @@ -182,9 +182,9 @@ ADMX Info: This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring. -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. +If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition. @@ -229,14 +229,14 @@ ADMX Info: This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. -If you enable this policy, you will be able to configure one of four states for each algorithm: +If you enable this policy, you'll be able to configure one of four states for each algorithm: -* **Default**: This sets the algorithm to the recommended state. -* **Supported**: This enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. -* **Audited**: This enables usage of the algorithm and reports an event (ID 205) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled. -* **Not Supported**: This disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +* **Default**: This state sets the algorithm to the recommended state. +* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. +* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -If you disable or do not configure this policy, each algorithm will assume the **Default** state. +If you disable or don't configure this policy, each algorithm will assume the **Default** state. More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. @@ -282,14 +282,14 @@ ADMX Info: This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. +Warning: When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. > [!NOTE] > The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. +If you disable or don't configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. @@ -333,9 +333,9 @@ ADMX Info: This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. +If you disable or don't configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server. @@ -377,16 +377,16 @@ ADMX Info: -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. +This policy setting allows you to set the value returned to applications that request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. +If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. > [!NOTE] -> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. +> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes. @@ -428,9 +428,9 @@ ADMX Info: -Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. +Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it can't resolve a UPN to a principal. -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 4dfe60a594..ec353dc9aa 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -77,7 +77,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic -List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. +List of exceptions to the blocked website URLs (with wildcard support). This policy is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This is -List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. +List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -185,7 +185,7 @@ Configures the default URL kiosk browsers to navigate on launch and restart. -Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. +Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. @@ -292,7 +292,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back). Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. -The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. +The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 0165674799..abd1293e59 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,6 +1,6 @@ --- title: Policy CSP - LanmanWorkstation -description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest logons to an SMB server. +description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -56,13 +56,13 @@ manager: dansimp -This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. +This policy setting determines if the SMB client will allow insecure guest sign ins to an SMB server. -If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. +If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign ins. -If you disable this policy setting, the SMB client will reject insecure guest logons. +If you disable this policy setting, the SMB client will reject insecure guest sign ins. -Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access. +Insecure guest sign ins are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign ins are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest sign ins by default. Since insecure guest sign ins are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign ins are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign ins and configuring file servers to require authenticated access. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 056c7c95d6..affd8a51ea 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -201,11 +201,11 @@ manager: dansimp This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system. -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. +If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -220,7 +220,7 @@ GP Info: The following list shows the supported values: - 0 - disabled (users will be able to use Microsoft accounts with Windows). -- 1 - enabled (users cannot add Microsoft accounts). +- 1 - enabled (users can't add Microsoft accounts). @@ -350,16 +350,16 @@ The following list shows the supported values: Accounts: Limit local account use of blank passwords to console logon only -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. +This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard. Default: Enabled. > [!WARNING] -> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. +> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers. +If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. +This setting doesn't affect sign ins that use domain accounts. +It's possible for applications that use remote interactive sign ins to bypass this setting. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -372,8 +372,8 @@ GP Info: Valid values: -- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console -- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard +- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console +- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard @@ -496,9 +496,9 @@ GP Info: -Devices: Allow undock without having to log on. +Devices: Allow undock without having to sign in. -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. +This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. > [!CAUTION] @@ -548,7 +548,7 @@ This security setting determines who is allowed to format and eject removable NT - Administrators - Administrators and Interactive Users -Default: This policy is not defined and only Administrators have this ability. +Default: This policy isn't defined, and only Administrators have this ability. @@ -595,7 +595,7 @@ Default on servers: Enabled. Default on workstations: Disabled >[!NOTE] ->This setting does not affect the ability to add a local printer. This setting does not affect Administrators. +>This setting doesn't affect the ability to add a local printer. This setting doesn't affect Administrators. @@ -640,7 +640,7 @@ This security setting determines whether a CD-ROM is accessible to both local an If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. +Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user. @@ -679,7 +679,7 @@ GP Info: -Interactive Logon:Display user information when the session is locked +Interactive Logon: Display user information when the session is locked Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -695,7 +695,7 @@ GP Info: Valid values: - 1 - User display name, domain and user names - 2 - User display name only -- 3 - Do not display user information +- 3 - Don't display user information @@ -731,7 +731,7 @@ Valid values: Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. +If this policy is enabled, the username won't be shown. If this policy is disabled, the username will be shown. @@ -749,7 +749,7 @@ GP Info: Valid values: - 0 - disabled (username will be shown) -- 1 - enabled (username will not be shown) +- 1 - enabled (username won't be shown) @@ -786,7 +786,7 @@ Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. +If this policy is enabled, the username won't be shown. If this policy is disabled, the username will be shown. @@ -804,7 +804,7 @@ GP Info: Valid values: - 0 - disabled (username will be shown) -- 1 - enabled (username will not be shown) +- 1 - enabled (username won't be shown) @@ -837,11 +837,11 @@ Valid values: -Interactive logon: Do not require CTRL+ALT+DEL +Interactive logon: Don't require CTRL+ALT+DEL -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. +This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in. -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to sign in. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users sign in ensures that users are communicating through a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. @@ -860,7 +860,7 @@ GP Info: Valid values: - 0 - disabled -- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on) +- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in) @@ -895,7 +895,7 @@ Valid values: Interactive logon: Machine inactivity limit. -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. +Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. @@ -909,7 +909,7 @@ GP Info: -Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled. +Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it's set to zero (0), the setting is disabled. @@ -942,9 +942,9 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time -Interactive logon: Message text for users attempting to log on +Interactive logon: Message text for users attempting to sign in -This security setting specifies a text message that is displayed to users when they log on. +This security setting specifies a text message that is displayed to users when they sign in. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. @@ -989,9 +989,9 @@ GP Info: -Interactive logon: Message title for users attempting to log on +Interactive logon: Message title for users attempting to sign in -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. +This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in. Default: No message. @@ -1047,14 +1047,14 @@ The options are: If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. +If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed. -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. +If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation. > [!NOTE] > Remote Desktop Services was called Terminal Services in previous versions of Windows Server. -Default: This policy is not defined, which means that the system treats it as No action. +Default: This policy isn't defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. @@ -1098,7 +1098,7 @@ Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. +If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. @@ -1208,7 +1208,7 @@ GP Info: Microsoft network client: Send unencrypted password to connect to third-party SMB servers -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. +If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication. Sending unencrypted passwords is a security risk. @@ -1263,7 +1263,7 @@ Administrators can use this policy to control when a computer suspends an inacti For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. +Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. @@ -1317,7 +1317,7 @@ This security setting determines whether packet signing is required by the SMB s The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. +If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. @@ -1328,7 +1328,7 @@ Default: Disabled for member servers. Enabled for domain controllers. > - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. > - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > -> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +> Similarly, if client-side SMB signing is required, that client won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. > If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. > SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1427,19 +1427,19 @@ GP Info: -Network access: Do not allow anonymous enumeration of SAM accounts +Network access: Don't allow anonymous enumeration of SAM accounts -This security setting determines what additional permissions will be granted for anonymous connections to the computer. +This security setting determines what other permissions will be granted for anonymous connections to the computer. -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. +Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. -This security option allows additional restrictions to be placed on anonymous connections as follows: +This security option allows more restrictions to be placed on anonymous connections as follows: -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. +Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. +Disabled: No extra restrictions. Rely on default permissions. Default on workstations: Enabled. -Default on server:Enabled. +Default on server: Enabled. > [!IMPORTANT] > This policy has no impact on domain controllers. @@ -1481,11 +1481,11 @@ GP Info: -Network access: Do not allow anonymous enumeration of SAM accounts and shares +Network access: Don't allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. +Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. @@ -1667,7 +1667,7 @@ Valid values: Network security: Allow PKU2U authentication requests to this computer to use online identities. -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. +This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -1715,9 +1715,9 @@ Valid values: -Network security: Do not store LAN Manager hash value on next password change +Network security: Don't store LAN Manager hash value on next password change -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. +This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled @@ -1825,8 +1825,8 @@ Network security: Minimum session security for NTLM SSP based (including secure This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: -- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. +- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. +- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated. Default: @@ -1875,8 +1875,8 @@ Network security: Minimum session security for NTLM SSP based (including secure This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. +Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. +Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated. Default: @@ -1927,9 +1927,9 @@ This policy setting allows you to create an exception list of remote servers to If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. -If you do not configure this policy setting, no exceptions will be applied. +If you don't configure this policy setting, no exceptions will be applied. -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. +The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character. @@ -1981,7 +1981,7 @@ Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. +If you select "Disable", or don't configure this policy setting, the server won't log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. @@ -2042,9 +2042,9 @@ Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. +If you select "Allow all" or don't configure this policy setting, the server will allow all NTLM authentication requests. -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain sign in and display an NTLM blocked error, but allow local account sign in. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. @@ -2103,11 +2103,11 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. +If you select "Allow all" or don't configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This logging allows you to identify those servers receiving NTLM authentication requests from the client computer. -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. +If you select "Deny all," the client computer can't authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. @@ -2160,13 +2160,13 @@ GP Info: -Shutdown: Allow system to be shut down without having to log on +Shutdown: Allow system to be shut down without having to sign in -This security setting determines whether a computer can be shut down without having to log on to Windows. +This security setting determines whether a computer can be shut down without having to sign in to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. +When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. Default on workstations: Enabled. Default on servers: Disabled. @@ -2183,7 +2183,7 @@ GP Info: Valid values: - 0 - disabled -- 1 - enabled (allow system to be shut down without having to log on) +- 1 - enabled (allow system to be shut down without having to sign in) @@ -2220,7 +2220,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. +Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to ensure that the system pagefile is wiped clean when this system shuts down. This cleaning ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. @@ -2267,7 +2267,7 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. Disabled: (Default) @@ -2437,7 +2437,7 @@ The options are: Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. +Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. @@ -2481,8 +2481,8 @@ User Account Control: Only elevate executable files that are signed and validate This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: -- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. -- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. +- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run. +- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -2525,7 +2525,7 @@ GP Info: User Account Control: Only elevate UIAccess applications that are installed in secure locations -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: +This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations: - .\Program Files\, including subfolders - .\Windows\system32\ @@ -2535,7 +2535,7 @@ This policy setting controls whether applications that request to run with a Use > Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: -- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. +- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system. - 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. Value type is integer. Supported operations are Add, Get, Replace, and Delete. diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index d27b02b6fd..7c01fe7a99 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Messaging -description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging. +description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -56,7 +56,7 @@ manager: dansimp -Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. +Enables text message backup and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -70,7 +70,7 @@ ADMX Info: The following list shows the supported values: -- 0 - message sync is not allowed and cannot be changed by the user. +- 0 - message sync isn't allowed and can't be changed by the user. - 1 - message sync is allowed. The user can change this setting. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index ad02deaa2f..02d6f53ac3 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -7,7 +7,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 1/31/2022 ms.reviewer: manager: dansimp --- @@ -36,7 +35,7 @@ manager: dansimp MixedReality/FallbackDiagnostics
- In Group Policy Editor, navigate to:
- - MixedReality/HeadTrackingMode/a> + MixedReality/HeadTrackingMode
-
MixedReality/MicrophoneDisabled
@@ -71,7 +70,7 @@ Steps to use this policy correctly:
1. Enroll HoloLens devices and verify both configurations get applied to the device.
1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
+1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they're a member of Azure AD group to which Kiosk configuration is targeted.
> [!NOTE]
> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
@@ -91,9 +90,9 @@ Steps to use this policy correctly:
|HoloLens 2|Yes|
-This new AutoLogonUser policy controls whether a user will be automatically logged on. Some customers want to set up devices that are tied to an identity but don't want any sign in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up login.
+This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in.
-When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must logon to the device at least once to enable autologon.
+When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon.
The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser`
@@ -102,7 +101,7 @@ String value
- User with the same email address will have autologon enabled.
-On a device where this policy is configured, the user specified in the policy will need to log-on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log-on as a different user, the policy must first be disabled.
+On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled.
> [!NOTE]
>
@@ -122,7 +121,7 @@ On a device where this policy is configured, the user specified in the policy wi
-This policy setting controls for how many days Azure AD group membership cache is allowed to be used for Assigned Access configurations targeting Azure AD groups for signed in user. Once this policy setting is set only then cache is used otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions.
+This policy setting controls for how many days Azure AD group membership cache is allowed to be used for Assigned Access configurations targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions.
@@ -162,7 +161,7 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60
-This policy setting controls if pressing the brightness button changes the brightness or not. It only impacts brightness on HoloLens and not the functionality of the button when it is used with other buttons as combination for other purposes.
+This policy setting controls if pressing the brightness button changes the brightness or not. It only impacts brightness on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes.
@@ -205,7 +204,7 @@ The following list shows the supported values:
-This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it is turned off / on or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:).
+This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:).
@@ -216,8 +215,8 @@ This policy controls the behavior of moving platform feature on Hololens 2, that
- Integer value
- 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system.
-- 1 Force off - Moving platform is disabled and cannot be changed by user.
-- 2 Force on - Moving platform is enabled and cannot be changed by user.
+- 1 Force off - Moving platform is disabled and can't be changed by user.
+- 2 Force on - Moving platform is enabled and can't be changed by user.
@@ -377,7 +376,7 @@ The following list shows the supported values:
-This policy setting controls if pressing the volume button changes the volume or not. It only impacts volume on HoloLens and not the functionality of the button when it is used with other buttons as combination for other purposes.
+This policy setting controls if pressing the volume button changes the volume or not. It only impacts volume on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes.
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index 5d7d45779b..1bd998b15e 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -60,9 +60,9 @@ manager: dansimp
This policy controls the inclusion of Edge tabs into Alt+Tab.
-Enabling this policy restricts the number of Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Edge tabs, only the 5 most recent tabs, only the 3 most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior.
+Enabling this policy restricts the number of Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Edge tabs, only the five most recent tabs, only the three most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior.
-This policy only applies to the Alt+Tab switcher. When the policy is not enabled, the feature respects the user's setting in the Settings app.
+This policy only applies to the Alt+Tab switcher. When the policy isn't enabled, the feature respects the user's setting in the Settings app.
> [!TIP]
@@ -85,8 +85,8 @@ ADMX Info:
The following list shows the supported values:
- 1 - Open windows and all tabs in Edge.
-- 2 - Open windows and 5 most recent tabs in Edge.
-- 3 - Open windows and 3 most recent tabs in Edge.
+- 2 - Open windows and five most recent tabs in Edge.
+- 3 - Open windows and three most recent tabs in Edge.
- 4 - Open windows only.
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index b7c30247ea..9dbb409924 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -119,7 +119,7 @@ ADMX Info:
-Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
+Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. These ranges are a comma-separated list of IPv4 and IPv6 ranges.
@@ -215,7 +215,7 @@ ADMX Info:
-This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+This list is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They're considered to be enterprise network locations. The proxies are only used in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
@@ -257,7 +257,7 @@ ADMX Info:
-This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
+This list is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
@@ -300,7 +300,7 @@ Here are the steps to create canonical domain names:
-This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+This list is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
@@ -383,7 +383,7 @@ ADMX Info:
-List of domain names that can used for work or personal resource.
+List of domain names that can be used for work or personal resource.
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 22a950170a..1e7e152515 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -70,7 +70,7 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must fo
- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store.
-- A certificate should not be a public certificate.
+- A certificate shouldn't be a public certificate.
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index f2a1383e75..20823757ce 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -65,13 +65,13 @@ manager: dansimp -This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). +This policy setting blocks application from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). -If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. +If you enable this policy setting, applications and system features won't be able to receive notifications from the network from WNS or via notification polling APIs. If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. -If you disable or do not configure this policy setting, the client computer will connect to WNS at user login and applications will be allowed to use periodic (polling) notifications. +If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in and applications will be allowed to use periodic (polling) notifications. No reboots or service restarts are required for this policy setting to take effect. @@ -130,7 +130,7 @@ Validation: Boolean value that turns off notification mirroring. -For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. +For each user signed in to the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. No reboot or service restart is required for this policy to take effect. @@ -182,9 +182,9 @@ The following list shows the supported values: This policy setting turns off tile notifications. -If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. +If you enable this policy setting, applications and system features won't be able to update their tiles and tile badges in the Start screen. -If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. +If you disable or don't configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. @@ -263,7 +263,7 @@ Validation: This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. -If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. +If you disable or don't configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. @@ -277,7 +277,7 @@ ADMX Info: -If the policy is not specified, we will default our connection to client.wns.windows.com. +If the policy isn't specified, we'll default our connection to client.wns.windows.com. diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 417c2b7bb8..6b1bf6a7d3 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -195,9 +195,9 @@ ADMX Info: This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. +If you enable or don't configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) are not allowed. +If you disable this policy setting, standby states (S1-S3) aren't allowed. @@ -241,9 +241,9 @@ ADMX Info: This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. +If you enable or don't configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) are not allowed. +If you disable this policy setting, standby states (S1-S3) aren't allowed. @@ -289,9 +289,9 @@ This policy setting allows you to specify the period of inactivity before Window If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -337,9 +337,9 @@ This policy setting allows you to specify the period of inactivity before Window If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -386,7 +386,7 @@ This policy setting allows you to specify battery charge level at which Energy S If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. @@ -441,7 +441,7 @@ This policy setting allows you to specify battery charge level at which Energy S If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. @@ -496,9 +496,9 @@ This policy setting allows you to specify the period of inactivity before Window If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -544,9 +544,9 @@ This policy setting allows you to specify the period of inactivity before Window If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -591,9 +591,9 @@ ADMX Info: This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. +If you enable or don't configure this policy setting, the user is prompted for a password when the system resumes from sleep. -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. +If you disable this policy setting, the user isn't prompted for a password when the system resumes from sleep. @@ -637,9 +637,9 @@ ADMX Info: This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. +If you enable or don't configure this policy setting, the user is prompted for a password when the system resumes from sleep. -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. +If you disable this policy setting, the user isn't prompted for a password when the system resumes from sleep. @@ -685,7 +685,7 @@ This policy setting specifies the action that Windows takes when a user closes t If you enable this policy setting, you must select the desired action. -If you disable this policy setting or do not configure it, users can see and change this setting. +If you disable this policy setting or don't configure it, users can see and change this setting. @@ -746,7 +746,7 @@ This policy setting specifies the action that Windows takes when a user closes t If you enable this policy setting, you must select the desired action. -If you disable this policy setting or do not configure it, users can see and change this setting. +If you disable this policy setting or don't configure it, users can see and change this setting. @@ -807,7 +807,7 @@ This policy setting specifies the action that Windows takes when a user presses If you enable this policy setting, you must select the desired action. -If you disable this policy setting or do not configure it, users can see and change this setting. +If you disable this policy setting or don't configure it, users can see and change this setting. @@ -868,7 +868,7 @@ This policy setting specifies the action that Windows takes when a user presses If you enable this policy setting, you must select the desired action. -If you disable this policy setting or do not configure it, users can see and change this setting. +If you disable this policy setting or don't configure it, users can see and change this setting. @@ -929,7 +929,7 @@ This policy setting specifies the action that Windows takes when a user presses If you enable this policy setting, you must select the desired action. -If you disable this policy setting or do not configure it, users can see and change this setting. +If you disable this policy setting or don't configure it, users can see and change this setting. @@ -990,7 +990,7 @@ This policy setting specifies the action that Windows takes when a user presses If you enable this policy setting, you must select the desired action. -If you disable this policy setting or do not configure it, users can see and change this setting. +If you disable this policy setting or don't configure it, users can see and change this setting. @@ -1051,9 +1051,9 @@ This policy setting allows you to specify the period of inactivity before Window If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1099,9 +1099,9 @@ This policy setting allows you to specify the period of inactivity before Window If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1145,9 +1145,9 @@ ADMX Info: This policy setting allows you to turn off hybrid sleep. -If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). +If you set this policy setting to 0, a hiberfile isn't generated when the system transitions to sleep (Stand By). -If you set this policy setting to 1 or do not configure this policy setting, users control this setting. +If you set this policy setting to 1 or don't configure this policy setting, users control this setting. @@ -1203,9 +1203,9 @@ The following are the supported values for Hybrid sleep (on battery): This policy setting allows you to turn off hybrid sleep. -If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). +If you set this policy setting to 0, a hiberfile isn't generated when the system transitions to sleep (Stand By). -If you set this policy setting to 1 or do not configure this policy setting, users control this setting. +If you set this policy setting to 1 or don't configure this policy setting, users control this setting. @@ -1259,13 +1259,13 @@ The following are the supported values for Hybrid sleep (plugged in): -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user isn't present at the computer. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows doesn't automatically transition to sleep. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1317,13 +1317,13 @@ Default value for unattended sleep timeout (on battery): -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user isn't present at the computer. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows doesn't automatically transition to sleep. -If you disable or do not configure this policy setting, users control this setting. +If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index ce1673fa34..48b7f7722b 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -105,8 +105,8 @@ manager: dansimp This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. -This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. The format of this setting is `/ [, / ]` Parent deliverable: 26209274 - Device Control: Printer @@ -176,8 +176,8 @@ ADMX Info: This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. -This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +This policy will contain the comma separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. The format of this setting is ` / [, / ]` @@ -244,14 +244,14 @@ ADMX Info: This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. The default value of the policy will be Unconfigured. -If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing. +If the policy value is either Unconfigured or Disabled, the print spooler won't restrict printing. -If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list. +If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. @@ -320,14 +320,14 @@ ADMX Info: This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. The default value of the policy will be Unconfigured. -If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing. +If the policy value is either Unconfigured or Disabled, the print spooler won't restrict printing. -If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list. +If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. @@ -374,11 +374,11 @@ This policy setting controls the client Point and Print behavior, including the If you enable this policy setting: -- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. -- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. +- You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. -If you do not configure this policy setting: +If you don't configure this policy setting: - Windows Vista client computers can point and print to any server. @@ -392,9 +392,9 @@ If you disable this policy setting: - Windows Vista client computers can create a printer connection to any server using Point and Print. -- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +- Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. -- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +- Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. @@ -457,11 +457,11 @@ This policy setting controls the client Point and Print behavior, including the If you enable this policy setting: -- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. -- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. +- You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. -If you do not configure this policy setting: +If you don't configure this policy setting: - Windows Vista client computers can point and print to any server. @@ -475,9 +475,9 @@ If you disable this policy setting: - Windows Vista client computers can create a printer connection to any server using Point and Print. -- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +- Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. -- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +- Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. @@ -524,11 +524,11 @@ ADMX Info: Determines whether the computer's shared printers can be published in Active Directory. -If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. +If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. -If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. +If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available. -Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". +Note: This setting takes priority over the setting "Automatically publish new printers in the Active Directory". diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 69ec854522..64c53af12c 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -71,15 +71,15 @@ manager: dansimp This policy setting lets you customize warning messages. -The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. +The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before users share control of their computers. -The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. +The "Display warning message before connecting" policy setting allows you to specify a custom message to display before users allow a connection to their computers. If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. If you disable this policy setting, the user sees the default warning message. -If you do not configure this policy setting, the user sees the default warning message. +If you don't configure this policy setting, the user sees the default warning message. @@ -125,9 +125,9 @@ This policy setting allows you to turn logging on or off. Log files are located If you enable this policy setting, log files are generated. -If you disable this policy setting, log files are not generated. +If you disable this policy setting, log files aren't generated. -If you do not configure this setting, application-based settings are used. +If you don't configure this setting, application-based settings are used. @@ -171,19 +171,19 @@ ADMX Info: This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure more Remote Assistance settings. -If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. +If you disable this policy setting, users on this computer can't use email or file transfer to ask someone for help. Also, users can't use instant messaging programs to allow connections to this computer. -If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. +If you don't configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. -The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista since SMAPI is the only method supported. -If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. +If you enable this policy setting, you should also enable appropriate firewall exceptions to allow Remote Assistance communications. @@ -229,9 +229,9 @@ This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +If you disable this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +If you don't configure this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. @@ -241,7 +241,7 @@ To configure the list of helpers, click "Show." In the window that opens, you ca ` \ ` -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you're running. Windows Vista and later diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 5941d52099..7d2559655b 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -18,6 +18,8 @@ manager: dansimp ## RemoteDesktop policies +> [!Warning] +> Some information relates to prerelease products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - @@ -28,17 +30,10 @@ manager: dansimp
-**RemoteDesktop/AutoSubscription<** +**RemoteDesktop/AutoSubscription** @@ -57,26 +52,17 @@ manager: dansimp [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * Device +> * User
-This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. +This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to silently subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. - - -ADMX Info: -- GP Friendly name: *Customize warning messages* -- GP name: *AutoSubscription* -- GP path: *System/Remote Desktop* -- GP ADMX file name: *remotedesktop.admx* - -
@@ -107,7 +93,7 @@ ADMX Info: -This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. +This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs. @@ -119,14 +105,6 @@ The following list shows the supported values: - -ADMX Info: -- GP Friendly name: *Allow DPAPI cred keys to be loaded from user profiles during logon for AADJ accounts* -- GP name: *LoadAadCredKeyFromProfile* -- GP path: *System/RemoteDesktop* -- GP ADMX file name: *remotedesktop.admx* - -
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 31f36b4007..6519b2d40c 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -81,9 +81,9 @@ This policy setting allows you to configure remote access to computers by using If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. -If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. +If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections. -If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. +If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed. Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. @@ -129,17 +129,17 @@ ADMX Info: -Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. +Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: -* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. +* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers. -* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. +* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption. * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. -If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. +If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy. Important @@ -189,11 +189,11 @@ This policy setting specifies whether to prevent the mapping of client drives in By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format `` on ` `. You can use this policy setting to override this behavior. -If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2019 and Windows 10. +If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows Server 2019 and Windows 10. If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. -If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. +If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level. @@ -237,7 +237,7 @@ ADMX Info: Controls whether passwords can be saved on this computer from Remote Desktop Connection. -If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. +If you enable this setting, the password-saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves their settings, any password that previously existed in the RDP file will be deleted. If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. @@ -285,13 +285,13 @@ This policy setting specifies whether Remote Desktop Services always prompts the You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. -By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. +By default, Remote Desktop Services allows users to automatically sign in by entering a password in the Remote Desktop Connection client. -If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. +If you enable this policy setting, users can't automatically sign in to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They're prompted for a password to sign in. -If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. +If you disable this policy setting, users can always sign in to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. -If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. +If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level. @@ -337,9 +337,9 @@ Specifies whether a Remote Desktop Session Host server requires secure RPC commu You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. -If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. +If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients. -If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. +If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request. If the status is set to Not Configured, unsecured communication is allowed. diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 7062b9695c..a0059027d9 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -108,7 +108,7 @@ This policy setting allows you to manage whether the Windows Remote Management ( If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. -If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication. +If you disable or don't configure this policy setting, the WinRM client doesn't use Basic authentication. @@ -154,7 +154,7 @@ This policy setting allows you to manage whether the Windows Remote Management ( If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client. -If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client. +If you disable or don't configure this policy setting, the WinRM service doesn't accept Basic authentication from a remote client. @@ -200,7 +200,7 @@ This policy setting allows you to manage whether the Windows Remote Management ( If you enable this policy setting, the WinRM client uses CredSSP authentication. -If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication. +If you disable or don't configure this policy setting, the WinRM client doesn't use CredSSP authentication. @@ -246,7 +246,7 @@ This policy setting allows you to manage whether the Windows Remote Management ( If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client. -If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client. +If you disable or don't configure this policy setting, the WinRM service doesn't accept CredSSP authentication from a remote client. @@ -294,11 +294,11 @@ If you enable this policy setting, the WinRM service automatically listens on th To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP). -If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. +If you disable or don't configure this policy setting, the WinRM service won't respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. -You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. +You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service doesn't listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. @@ -351,7 +351,7 @@ This policy setting allows you to manage whether the Windows Remote Management ( If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. @@ -397,7 +397,7 @@ This policy setting allows you to manage whether the Windows Remote Management ( If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. @@ -441,9 +441,9 @@ ADMX Info: This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. -If you enable this policy setting, the WinRM client does not use Digest authentication. +If you enable this policy setting, the WinRM client doesn't use Digest authentication. -If you disable or do not configure this policy setting, the WinRM client uses Digest authentication. +If you disable or don't configure this policy setting, the WinRM client uses Digest authentication. @@ -487,9 +487,9 @@ ADMX Info: This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication. -If you enable this policy setting, the WinRM client does not use Negotiate authentication. +If you enable this policy setting, the WinRM client doesn't use Negotiate authentication. -If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication. +If you disable or don't configure this policy setting, the WinRM client uses Negotiate authentication. @@ -533,9 +533,9 @@ ADMX Info: This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client. -If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client. +If you enable this policy setting, the WinRM service doesn't accept Negotiate authentication from a remote client. -If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. +If you disable or don't configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. @@ -577,13 +577,13 @@ ADMX Info: -This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. +This policy setting allows you to manage whether the Windows Remote Management (WinRM) service won't allow RunAs credentials to be stored for any plug-ins. -If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. +If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. -If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. +If you disable or don't configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. -If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset. +If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset. @@ -625,17 +625,17 @@ ADMX Info: -This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens. +This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service regarding channel binding tokens. If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token. -If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer. +If you disable or don't configure this policy setting, you can configure the hardening level locally on each computer. If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected. -If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepted (though it is not protected from credential-forwarding attacks). +If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that doesn't contain a channel binding token is accepted (though it isn't protected from credential-forwarding attacks). -If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks). +If HardeningLevel is set to None, all requests are accepted (though they aren't protected from credential-forwarding attacks). @@ -679,9 +679,9 @@ ADMX Info: This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. -If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host. +If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host. -If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. +If you disable or don't configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. @@ -727,7 +727,7 @@ This policy setting turns on or turns off an HTTP listener created for backward If you enable this policy setting, the HTTP listener always appears. -If you disable or do not configure this policy setting, the HTTP listener never appears. +If you disable or don't configure this policy setting, the HTTP listener never appears. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. @@ -777,7 +777,7 @@ This policy setting turns on or turns off an HTTPS listener created for backward If you enable this policy setting, the HTTPS listener always appears. -If you disable or do not configure this policy setting, the HTTPS listener never appears. +If you disable or don't configure this policy setting, the HTTPS listener never appears. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index a750b0adde..c2235cdbb4 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,6 +1,6 @@ --- title: Policy CSP - RemoteProcedureCall -description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they are making contains authentication information. +description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -64,15 +64,15 @@ manager: dansimp -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. +This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner. -If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. +If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -Note: This policy will not be applied until the system is rebooted. +Note: This policy won't be applied until the system is rebooted. @@ -116,13 +116,13 @@ ADMX Info: This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. -This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. +This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. -If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. +If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. +If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. - "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. @@ -131,7 +131,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict - "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. > [!NOTE] -> This policy setting will not be applied until the system is rebooted. +> This policy setting won't be applied until the system is rebooted. diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 5c7775b5f5..b56f078278 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -160,7 +160,7 @@ ADMX Info: -This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. +This value is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. @@ -194,7 +194,7 @@ This is a simple boolean value, default false, that can be set by MDM policy to -Controls if the user can configure search to Find My Files mode, which searches files in secondary hard drives and also outside of the user profile. Find My Files does not allow users to search files or locations to which they do not have access. +Controls if the user can configure search to Find My Files mode, which searches files in secondary hard drives and also outside of the user profile. Find My Files doesn't allow users to search files or locations to which they don't have access. @@ -252,7 +252,7 @@ Allows or disallows the indexing of items. This switch is for the Windows Search When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. -When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device. +When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are many WIP-protected media files on the device. Most restricted value is 0. @@ -302,7 +302,7 @@ The following list shows the supported values: -Specifies whether search can leverage location information. +Specifies whether search can use location information. Most restricted value is 0. @@ -605,9 +605,9 @@ The following list shows the supported values: This policy setting configures whether or not locations on removable drives can be added to libraries. -If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. +If you enable this policy setting, locations on removable drives can't be added to libraries. In addition, locations on removable drives can't be indexed. -If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. +If you disable or don't configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. @@ -659,7 +659,7 @@ Don't search the web or display web results in Search, or show search highlights This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home. -- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights will not be shown in the search box and in search home. +- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. - If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. @@ -711,7 +711,7 @@ The following list shows the supported values: Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. -Enable this policy if computers in your environment have extremely limited hard drive space. +Enable this policy if computers in your environment have limited hard drive space. When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. @@ -761,7 +761,7 @@ The following list shows the supported values: -If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. +If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index dc3da9ca62..dcf870fbf8 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -199,7 +199,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Will not force recovery from a non-ready TPM state. +- 0 (default) – Won't force recovery from a non-ready TPM state. - 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. @@ -326,7 +326,7 @@ This policy controls the Admin Authentication requirement in RecoveryEnvironment Supported values: - 0 - Default: Keep using default(current) behavior - 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment -- 2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment +- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment @@ -344,10 +344,10 @@ The process of starting Push Button Reset (PBR) in WinRE: 1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE. 1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything". -If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior: +If the MDM policy is set to "Default" (0) or doesn't exist, the admin authentication flow should work as default behavior: 1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. -1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options. +1. Click "<-" (right arrow) button and choose "Remove everything", it shouldn't pop up admin authentication and just go to PBR options. If the MDM policy is set to "RequireAuthentication" (1) @@ -356,9 +356,9 @@ If the MDM policy is set to "RequireAuthentication" (1) If the MDM policy is set to "NoRequireAuthentication" (2) -1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication. +1. Start PBR in WinRE, choose "Keep my files", it shouldn't pop up admin authentication. 1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back. -1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither. +1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it shouldn't pop up admin authentication neither. @@ -403,7 +403,7 @@ Most restricted value is 1. The following list shows the supported values: -- 0 (default) – Encryption is not required. +- 0 (default) – Encryption isn't required. - 1 – Encryption is required. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 8713e65ba8..1b0e0f8bc4 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -249,7 +249,7 @@ This policy disables edit device name option on Settings. -Describes what value are supported in by this policy and meaning of each value, default value. +Describes what values are supported in by this policy and meaning of each value, default value. @@ -626,7 +626,7 @@ ADMX Info: The following list shows the supported values: - 0 (default) – User will be allowed to configure the setting. -- 1 – Don't show additional calendars. +- 1 – Don't show more calendars. - 2 - Simplified Chinese (Lunar). - 3 - Traditional Chinese (Lunar). diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 2fd9258e23..f760f05bc0 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -156,7 +156,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -197,7 +197,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -238,7 +238,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -279,7 +279,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -320,7 +320,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -361,7 +361,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -402,7 +402,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -443,7 +443,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -484,7 +484,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -525,7 +525,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. +- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. @@ -634,7 +634,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – False (Do not disable). +- 0 (default) – False (don't disable). - 1 - True (disable). @@ -679,13 +679,13 @@ The following list shows the supported values: Forces the start screen size. -If there is policy configuration conflict, the latest configuration request is applied to the device. +If there's policy configuration conflict, the latest configuration request is applied to the device. The following list shows the supported values: -- 0 (default) – Do not force size of Start. +- 0 (default) – Don't force size of Start. - 1 – Force non-fullscreen size of Start. - 2 - Force a fullscreen size of Start. @@ -730,12 +730,12 @@ Allows IT Admins to configure Start by collapsing or removing the all apps list. > There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: - 1 - Enable policy and restart explorer.exe -- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out. +- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle isn't grayed out. - 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. -- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. +- 2c - If set to '3': Verify that there's no way of opening the all apps list from Start, and that the Settings toggle is grayed out. @@ -783,15 +783,15 @@ Allows IT Admins to configure Start by hiding "Change account settings" from app The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the user tile, and verify that "Change account settings" is not available. +2. Open Start, click on the user tile, and verify that "Change account settings" isn't available. @@ -834,19 +834,19 @@ Allows IT Admins to configure Start by hiding most used apps. The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable "Show most used apps" in the Settings app. 2. Use some apps to get them into the most used group in Start. 3. Enable policy. 4. Restart explorer.exe 5. Check that "Show most used apps" Settings toggle is grayed out. -6. Check that most used apps do not appear in Start. +6. Check that most used apps don't appear in Start. @@ -883,21 +883,21 @@ Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the > [!NOTE] -> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. +> This policy can only be verified on laptops as "Hibernate" doesn't appear on regular PC's. The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Laptop, do the following: +To validate on Laptop, do the following steps: 1. Enable policy. -2. Open Start, click on the Power button, and verify "Hibernate" is not available. +2. Open Start, click on the Power button, and verify "Hibernate" isn't available. @@ -936,15 +936,15 @@ Allows IT Admins to configure Start by hiding "Lock" from appearing in the user The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the user tile, and verify "Lock" is not available. +2. Open Start, click on the user tile, and verify "Lock" isn't available. @@ -977,7 +977,7 @@ To validate on Desktop, do the following: -Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. +Enabling this policy removes the people icon from the taskbar and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. Value type is integer. @@ -993,7 +993,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). @@ -1036,15 +1036,15 @@ Allows IT Admins to configure Start by hiding the Power button from appearing. The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, and verify the power button is not available. +2. Open Start, and verify the power button isn't available. @@ -1086,12 +1086,12 @@ Allows IT Admins to configure Start by hiding recently opened items in the jump The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. 2. Pin Photos to the taskbar, and open some images in the photos app. @@ -1101,7 +1101,7 @@ To validate on Desktop, do the following: 6. Restart explorer.exe 7. Check that Settings toggle is grayed out. 8. Repeat Step 2. -9. Right Click pinned photos app and verify that there is no jump list of recent items. +9. Right Click pinned photos app and verify that there's no jump list of recent items. @@ -1152,19 +1152,19 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable "Show recently added apps" in the Settings app. 2. Check if there are recently added apps in Start (if not, install some). 3. Enable policy. 4. Restart explorer.exe 5. Check that "Show recently added apps" Settings toggle is grayed out. -6. Check that recently added apps do not appear in Start. +6. Check that recently added apps don't appear in Start. @@ -1203,15 +1203,15 @@ Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. +2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" aren't available. @@ -1250,15 +1250,15 @@ Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut d The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. +2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" aren't available. @@ -1297,15 +1297,15 @@ Allows IT Admins to configure Start by hiding "Sign out" from appearing in the u The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the user tile, and verify "Sign out" is not available. +2. Open Start, click on the user tile, and verify "Sign out" isn't available. @@ -1344,15 +1344,15 @@ Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Powe The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the Power button, and verify that "Sleep" is not available. +2. Open Start, click on the Power button, and verify that "Sleep" isn't available. @@ -1391,15 +1391,15 @@ Allows IT Admins to configure Start by hiding "Switch account" from appearing in The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Open Start, click on the user tile, and verify that "Switch account" is not available. +2. Open Start, click on the user tile, and verify that "Switch account" isn't available. @@ -1441,16 +1441,16 @@ Allows IT Admins to configure Start by hiding the user tile. The following list shows the supported values: -- 0 (default) – False (do not hide). +- 0 (default) – False (don't hide). - 1 - True (hide). -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. -2. Log off. -3. Log in, and verify that the user tile is gone from Start. +2. Sign out. +3. Sign in, and verify that the user tile is gone from Start. @@ -1486,7 +1486,7 @@ To validate on Desktop, do the following: > [!NOTE] > This policy requires reboot to take effect. -Here is additional SKU support information: +Here's more SKU support information: |Release |SKU Supported | |---------|---------| @@ -1494,7 +1494,7 @@ Here is additional SKU support information: |Windows 10, version 1703 and later |Enterprise, Education, Business | |Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | -This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. +This policy imports Edge assets (for example, .png/.jpg files) for secondary tiles into its local app data path, which allows the StartLayout policy to pin Edge secondary tiles as weblink that ties to the image asset files. > [!IMPORTANT] > Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. @@ -1503,7 +1503,7 @@ The value set for this policy is an XML string containing Edge assets. For an e -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Set policy with an XML for Edge assets. 2. Set StartLayout policy to anything so that it would trigger the Edge assets import. @@ -1552,13 +1552,13 @@ The following list shows the supported values: -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. 2. Right click on a program pinned to taskbar. -3. Verify that "Unpin from taskbar" menu does not show. +3. Verify that "Unpin from taskbar" menu doesn't show. 4. Open Start and right click on one of the app list icons. -5. Verify that More->Pin to taskbar menu does not show. +5. Verify that More->Pin to taskbar menu doesn't show. @@ -1622,8 +1622,8 @@ To validate on Desktop, do the following: The following list shows the supported values: -- 1 - Force showing of Most Used Apps in Start Menu, user cannot change in Settings -- 0 - Force hiding of Most Used Apps in Start Menu, user cannot change in Settings +- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings +- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings - Not set - User can use Settings to hide or show Most Used Apps in Start Menu On clean install, the user setting defaults to "hide". @@ -1664,7 +1664,7 @@ On clean install, the user setting defaults to "hide". > [!IMPORTANT] > In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) -Here is additional SKU support information: +Here's more SKU support information: |Release |SKU Supported | |---------|---------| @@ -1674,7 +1674,7 @@ Here is additional SKU support information: Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy -For further details on how to customize the Start layout, please see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar). +For more information on how to customize the Start layout, see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar). diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 77b5ec67b9..d600b89da2 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -107,7 +107,7 @@ ADMX Info: The following list shows the supported values: -- 0 - Do not allow +- 0 - Don't allow - 1 (default) - Allow @@ -128,7 +128,7 @@ The following list shows the supported values: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 do not support group policy. +Note: Versions prior to version 1903 don't support group policy.
@@ -145,11 +145,11 @@ Note: Versions prior to version 1903 do not support group policy. Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy. -If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy). +If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy). -If you disable this policy setting, the machine will turn off Storage Sense. Users cannot enable Storage Sense. +If you disable this policy setting, the machine will turn off Storage Sense. Users can't enable Storage Sense. -If you do not configure this policy setting, Storage Sense is turned off by default until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. +If you don't configure this policy setting, Storage Sense is turned off by default until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. ADMX Info: @@ -185,7 +185,7 @@ ADMX Info: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 do not support group policy. +Note: Versions prior to version 1903 don't support group policy.
@@ -200,15 +200,15 @@ Note: Versions prior to version 1903 do not support group policy. -When Storage Sense runs, it can delete the user’s temporary files that are not in use. +When Storage Sense runs, it can delete the user’s temporary files that aren't in use. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. -If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use. Users cannot disable this setting in Storage settings. +If you enable this policy setting, Storage Sense will delete the user’s temporary files that aren't in use. Users can't disable this setting in Storage settings. -If you disable this policy setting, Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings. +If you disable this policy setting, Storage Sense won't delete the user’s temporary files. Users can't enable this setting in Storage settings. -If you do not configure this policy setting, Storage Sense will delete the user’s temporary files by default. Users can configure this setting in Storage settings. +If you don't configure this policy setting, Storage Sense will delete the user’s temporary files by default. Users can configure this setting in Storage settings. @@ -245,7 +245,7 @@ ADMX Info: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 do not support group policy. +Note: Versions prior to version 1903 don't support group policy.
@@ -260,15 +260,15 @@ Note: Versions prior to version 1903 do not support group policy. -When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. +When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain number of days. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. -If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content. +If you set this value to zero, Storage Sense won't dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content. -If you disable or do not configure this policy setting, then Storage Sense will not dehydrate any cloud-backed content by default. Users can configure this setting in Storage settings. +If you disable or don't configure this policy setting, then Storage Sense won't dehydrate any cloud-backed content by default. Users can configure this setting in Storage settings. @@ -305,7 +305,7 @@ ADMX Info: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 do not support group policy. +Note: Versions prior to version 1903 don't support group policy.
@@ -322,13 +322,13 @@ Note: Versions prior to version 1903 do not support group policy. When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. -If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. +If you set this value to zero, Storage Sense won't delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. -If you disable or do not configure this policy setting, then Storage Sense will not delete files in the user’s Downloads folder by default. Users can configure this setting in Storage settings. +If you disable or don't configure this policy setting, then Storage Sense won't delete files in the user’s Downloads folder by default. Users can configure this setting in Storage settings. @@ -365,7 +365,7 @@ ADMX Info: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 do not support group policy. +Note: Versions prior to version 1903 don't support group policy.
@@ -381,7 +381,7 @@ Note: Versions prior to version 1903 do not support group policy. Storage Sense can automatically clean some of the user’s files to free up disk space. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. If you enable this policy setting, you must provide the desired Storage Sense cadence. @@ -394,7 +394,7 @@ The following are supported options: The default is 0 (during low free disk space). -If you do not configure this policy setting, then the Storage Sense cadence is set to “during low free disk space” by default. Users can configure this setting in Storage settings. +If you don't configure this policy setting, then the Storage Sense cadence is set to “during low free disk space” by default. Users can configure this setting in Storage settings. @@ -431,7 +431,7 @@ ADMX Info: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 do not support group policy. +Note: Versions prior to version 1903 don't support group policy.
@@ -446,15 +446,15 @@ Note: Versions prior to version 1903 do not support group policy. -When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. +When Storage Sense runs, it can delete files in the user’s Recycle Bin if they've been there for over a certain number of days. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365. -If you set this value to zero, Storage Sense will not delete files in the user’s Recycle Bin. The default is 30 days. +If you set this value to zero, Storage Sense won't delete files in the user’s Recycle Bin. The default is 30 days. -If you disable or do not configure this policy setting, Storage Sense will delete files in the user’s Recycle Bin that have been there for over 30 days by default. Users can configure this setting in Storage settings. +If you disable or don't configure this policy setting, Storage Sense will delete files in the user’s Recycle Bin which have been there for over 30 days by default. Users can configure this setting in Storage settings. @@ -506,9 +506,9 @@ ADMX Info: This policy setting configures whether or not Windows will activate an Enhanced Storage device. -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. +If you enable this policy setting, Windows won't activate unactivated Enhanced Storage devices. -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. +If you disable or don't configure this policy setting, Windows will activate unactivated Enhanced Storage devices. > [!TIP] @@ -556,7 +556,7 @@ ADMX Info: -If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +If you enable this policy setting, write access is denied to this removable storage class. If you disable or don't configure this policy setting, write access is allowed to this removable storage class. > [!Note] > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." @@ -616,7 +616,7 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin -This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: +This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth @@ -624,10 +624,10 @@ This policy will do the enforcement over the following protocols which are used To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). -If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. +If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, for example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. Supported values for this policy are: - Not configured @@ -678,7 +678,7 @@ ADMX Info: -This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: +This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth @@ -686,7 +686,7 @@ This policy will do the enforcement over the following protocols which are used To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). -If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. +If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -740,7 +740,7 @@ ADMX Info: -This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: +This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth @@ -748,7 +748,7 @@ This policy will do the enforcement over the following protocols which are used To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). -If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. +If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -802,7 +802,7 @@ ADMX Info: -This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: +This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth @@ -810,7 +810,7 @@ This policy will do the enforcement over the following protocols which are used To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). -If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. +If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 9e31c3a67b..a824fde8d4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -144,7 +144,7 @@ manager: dansimp This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. -If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. +If you enable or don't configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. @@ -201,9 +201,9 @@ To enable this behavior, you must complete two steps: Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above. -If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. +If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. -Configuring this setting does not change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. +Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. @@ -248,11 +248,11 @@ To enable this behavior, you must complete three steps: 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace -This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. +This setting has no effect on devices unless they're properly enrolled in Desktop Analytics. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -If you disable or do not configure this policy setting, devices will not appear in Desktop Analytics. +If you disable or don't configure this policy setting, devices won't appear in Desktop Analytics. The following list shows the supported values: @@ -289,7 +289,7 @@ The following list shows the supported values: -This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data. @@ -385,7 +385,7 @@ The following list shows the supported values: > [!NOTE] -> This policy is not supported in Windows 10, version 1607. +> This policy isn't supported in Windows 10, version 1607. This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. @@ -430,11 +430,11 @@ The following list shows the supported values: -Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts. +Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts. -This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). +This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value isn't set by default, so the default behavior is true (enabled). -This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. +This setting is used by lower-level components for text display and fond handling and hasn't direct effect on web browsers, which may download web fonts used in web content. > [!NOTE] > Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. @@ -458,7 +458,7 @@ The following list shows the supported values: To verify if System/AllowFontProviders is set to true: -- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. +- After a client machine is rebooted, check whether there's any network traffic from client machine to fs.microsoft.com. @@ -513,9 +513,9 @@ ADMX Info: The following list shows the supported values: -- 0 – Force Location Off. All Location Privacy settings are toggled off and grayed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 0 – Force Location Off. All Location Privacy settings are toggled off and grayed out. Users can't change the settings, and no apps are allowed access to the Location service, including Cortana and Search. - 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and grayed out. Users cannot change the settings and all consent permissions will be automatically suppressed. +- 2 – Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed. @@ -531,7 +531,7 @@ This policy setting configures an Azure Active Directory joined device so that M For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md). -This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. +This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -575,7 +575,7 @@ Most restricted value is 0. The following list shows the supported values: -- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 0 – SD card use isn't allowed and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card. - 1 (default) – Allow a storage card. @@ -611,7 +611,7 @@ The following list shows the supported values: Allows the device to send diagnostic and usage telemetry data, such as Watson. -For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). +For more information about diagnostic data, including what is and what isn't collected by Windows, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). The following list shows the supported values for Windows 8.1: - 0 - Not allowed. @@ -623,19 +623,19 @@ In Windows 10, you can configure this policy setting to decide what level of dia The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): -- 0 – **Off (Security)** This turns Windows diagnostic data off. +- 0 – **Off (Security)** This value turns Windows diagnostic data off. > [!NOTE] > This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. - 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus extra insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. > [!NOTE] > **Enhanced** is no longer an option for Windows Holographic, version 21H1. -- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. +- 3 – **Optional (Full)** Sends the same data as a value of 2, plus extra data necessary to identify and fix problems with devices such as enhanced error logs. Most restrictive value is 0. @@ -689,7 +689,7 @@ To enable this behavior, you must complete three steps: When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -If you disable or do not configure this policy setting, devices will not appear in Update Compliance. +If you disable or don't configure this policy setting, devices won't appear in Update Compliance. @@ -771,7 +771,7 @@ To enable this behavior, you must complete three steps: When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features. +If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.
@@ -810,16 +810,16 @@ The following list shows the supported values: This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -- Good: The driver has been signed and has not been tampered with. -- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. +- Good: The driver has been signed and hasn't been tampered with. +- Bad: The driver has been identified as malware. It's recommended that you don't allow known bad drivers to be initialized. +- Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver. +- Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver. -If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. +If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize the next time the computer is started. -If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. +If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. -If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. +If your malware detection application doesn't include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. > [!TIP] @@ -921,9 +921,9 @@ ADMX Info: -This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings. +This policy setting determines whether a device shows notifications about telemetry levels to people on first sign in or when changes occur in Settings. If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings. @@ -1075,7 +1075,7 @@ ADMX Info: This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. -If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. @@ -1126,7 +1126,7 @@ ADMX Info: -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. @@ -1169,13 +1169,13 @@ ADMX Info: Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: -* Users cannot access OneDrive from the OneDrive app or file picker. -* Microsoft Store apps cannot access OneDrive using the WinRT API. -* OneDrive does not appear in the navigation pane in File Explorer. -* OneDrive files are not kept in sync with the cloud. -* Users cannot automatically upload photos and videos from the camera roll folder. +* Users can't access OneDrive from the OneDrive app or file picker. +* Microsoft Store apps can't access OneDrive using the WinRT API. +* OneDrive doesn't appear in the navigation pane in File Explorer. +* OneDrive files aren't kept in sync with the cloud. +* Users can't automatically upload photos and videos from the camera roll folder. -If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. +If you disable or don't configure this policy setting, apps and features can work with OneDrive file storage. @@ -1194,11 +1194,11 @@ The following list shows the supported values: -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. 2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. +3. Verify that OneDrive.exe isn't running in Task Manager. @@ -1234,11 +1234,11 @@ Allows you to disable System Restore. This policy setting allows you to turn off System Restore. -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. +System Restore enables users, in case of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. +If you disable or don't configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. @@ -1287,14 +1287,14 @@ ADMX Info: -When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. +When feedback in the Feedback Hub is being filed, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. The following list shows the supported values: -- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. -- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. +- 0 (default) - False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted. @@ -1326,9 +1326,9 @@ The following list shows the supported values: -This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It is sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for additional data collection. +This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection. -If you disable or do not configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data. +If you disable or don't configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data. @@ -1375,11 +1375,11 @@ The following list shows the supported values: -This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps are not sent unless we have permission to collect optional diagnostic data. +This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data. -By enabling this policy setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only. +With this policy setting being enabled, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only. -If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data. +If you disable or don't configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data. @@ -1441,11 +1441,11 @@ To enable this behavior, you must complete two steps: - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) -When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. +When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. -Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. +Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. -If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. +If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. @@ -1486,9 +1486,9 @@ ADMX Info: -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there's no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data won't be transmitted and will remain on the local device. -If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. +If you disable or don't configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. @@ -1531,9 +1531,9 @@ ADMX Info: This policy setting allows you to turn off File History. -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. +If you enable this policy setting, File History can't be activated to create regular, automatic backups. -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. +If you disable or don't configure this policy setting, File History can be activated to create regular, automatic backups. diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index c1f1785f9d..09a8420d64 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -65,11 +65,11 @@ manager: dansimp -This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but are not used by any users on that machine. +This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but aren't used by any users on that machine. -If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. +If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they aren't used by any user on that system. -If you disable (value 0) or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task. +If you disable (value 0) or don't configure this policy setting, language packs that are installed as part of the system image but aren't used by any user on that system will be removed as part of a scheduled cleanup task. @@ -119,7 +119,7 @@ ADMX Info: -Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. +Specifies the time zone to be applied to the device. This policy name is the standard Windows name for the target time zone. > [!TIP] > To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell. @@ -165,9 +165,9 @@ Specifies the time zone to be applied to the device. This is the standard Window This policy setting controls which UI language is used for computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language isn't installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. -If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs. +If you disable or don't configure this policy setting, there's no restriction of a specific language used for the Windows menus and dialogs. @@ -217,11 +217,11 @@ ADMX Info: -This policy setting restricts standard users from installing language features on demand. This policy does not restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.” +This policy setting restricts standard users from installing language features on demand. This policy doesn't restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.” If you enable this policy setting, the installation of language features is prevented for standard users. -If you disable or do not configure this policy setting, there is no language feature installation restriction for the standard users. +If you disable or don't configure this policy setting, there's no language feature installation restriction for the standard users. diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index d04526eee3..b19352d765 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -66,17 +66,17 @@ ADMX Info: -This is a numeric policy setting with merge algorithm (lowest value is the most secure) that uses the most restrictive settings for complex manageability scenarios. +This setting is a numeric policy setting with merge algorithm (lowest value is the most secure) that uses the most restrictive settings for complex manageability scenarios. Supported values: -- 0 (default) - Turn this feature off. -- 1 - Turn this feature off but still apply critical troubleshooting. +- 0 (default) - Turn off this feature. +- 1 - Turn off this feature but still apply critical troubleshooting. - 2 - Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. - 3 - Run recommended troubleshooting automatically and notify the user after it ran successfully. - 4 - Run recommended troubleshooting automatically without notifying the user. - 5 - Allow the user to choose their own recommended troubleshooting settings. -By default, this policy is not configured and the SKU based defaults are used for managed devices. Current policy values for SKU's are as follows: +By default, this policy isn't configured and the SKU based defaults are used for managed devices. Current policy values for SKUs are as follows: |SKU|Unmanaged Default|Managed Default| |--- |--- |--- | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7b40a61a6b..46fceb630a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -263,7 +263,7 @@ ms.collection: highpri -Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12-hour maximum from start time. +Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. @@ -358,7 +358,7 @@ ADMX Info: -Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12-hour maximum from end time. +Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. @@ -411,7 +411,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and Supported operations are Get and Replace. -If the policy is not configured, end-users get the default behavior (Auto install and restart). +If the policy isn't configured, end-users get the default behavior (Auto install and restart). @@ -427,15 +427,15 @@ ADMX Info: The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. Automatic restarting when a device is not being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. - 5 – Turn off automatic updates. > [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +> This option should be used only for systems under regulatory compliance, as you won't get security updates as well. @@ -471,7 +471,7 @@ The following list shows the supported values: Option to download updates automatically over metered connections (off by default). Value type is integer. -A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. +A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. This policy is accessible through the Update setting in the user interface or Group Policy. @@ -540,7 +540,7 @@ The following list shows the supported values: - 1 – Allowed. Accepts updates received through Microsoft Update. > [!NOTE] -> Setting this policy back to **0** or **Not configured** does not revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:. +> Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:. ``` $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" @@ -589,7 +589,7 @@ This policy is specific to desktop and local publishing via WSUS for third-party The following list shows the supported values: - 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. @@ -643,7 +643,7 @@ ADMX Info: The following list shows the supported values: -- 0 – Update service is not allowed. +- 0 – Update service isn't allowed. - 1 (default) – Update service is allowed. @@ -689,10 +689,10 @@ The PC must restart for certain updates to take effect. If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. -If you disable or do not configure this policy, the PC will restart according to the default schedule. +If you disable or don't configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. +1. No autorestart with signed-in users for scheduled automatic updates installations. 2. Always automatically restart at scheduled time. @@ -743,11 +743,11 @@ Value type is integer. Default is 7 days. Supported values range: 2-30. -Note that the PC must restart for certain updates to take effect. +The PC must restart for certain updates to take effect. If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. -If you disable or do not configure this policy, the PC will restart according to the default schedule. +If you disable or don't configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations. @@ -897,7 +897,7 @@ This policy setting allows you to configure if Automatic Maintenance should make If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary. -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. +If you disable or don't configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. ADMX Info: @@ -948,7 +948,7 @@ Supported values: -Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of General Availability Channel (Targeted) and General Availability Channel have been combined into one General Availability Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. +Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of General Availability Channel (Targeted) and General Availability Channel have been combined into one General Availability Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 isn't a supported value. @@ -1000,7 +1000,7 @@ The following list shows the supported values: -Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule. +Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. ADMX Info: @@ -1052,7 +1052,7 @@ Default value is 7. -Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule. +Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. ADMX Info: @@ -1104,7 +1104,7 @@ Default value is 7. -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used. @@ -1158,7 +1158,7 @@ Default value is 2. -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. @@ -1424,12 +1424,12 @@ Update: - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 -Other/cannot defer: +Other/can't defer: - Maximum deferral: No deferral - Deferral increment: No deferral - Update type/notes: - Any update category not specifically enumerated above falls into this category. + Any update category not enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B @@ -1562,7 +1562,7 @@ ADMX Info: -Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. +Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). @@ -1582,8 +1582,8 @@ ADMX Info: The following list shows the supported values: -- 0 - allow scan against Windows Update -- 1 - do not allow update deferral policies to cause scans against Windows Update +- 0 - Allow scan against Windows Update +- 1 - Don't allow update deferral policies to cause scans against Windows Update @@ -1629,7 +1629,7 @@ IT admins can, if necessary, opt devices out of safeguard protections using this > > The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. > -> Disabling safeguards does not guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you are bypassing the protection given by Microsoft pertaining to known issues. +> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues. @@ -1644,7 +1644,7 @@ ADMX Info: The following list shows the supported values: - 0 (default) - Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. -- 1 - Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. +- 1 - Safeguards aren't enabled and upgrades will be deployed without blocking on safeguards. @@ -1679,7 +1679,7 @@ The following list shows the supported values: To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. -By default, certificate pinning for Windows Update client is not enforced. +By default, certificate pinning for Windows Update client isn't enforced. @@ -1694,7 +1694,7 @@ ADMX Info: The following list shows the supported values: - 0 (default) - Enforce certificate pinning -- 1 - Do not enforce certificate pinning +- 1 - Don't enforce certificate pinning @@ -1732,15 +1732,15 @@ For Quality Updates, this policy specifies the deadline in days before automatic The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. > [!NOTE] -> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. +> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule aren't set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. -If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (for example, pending user scheduling). +If no deadline is specified or deadline is set to 0, the restart won't be automatically executed and will remain Engaged restart (for example, pending user scheduling). -If you disable or do not configure this policy, the default behaviors will be used. +If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations @@ -1793,9 +1793,9 @@ Value type is integer. Default is 14. Supported value range: 2-30. -If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (for example, pending user scheduling). +If no deadline is specified or deadline is set to 0, the restart won't be automatically executed and will remain Engaged restart (for example, pending user scheduling). -If you disable or do not configure this policy, the default behaviors will be used. +If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations @@ -1848,7 +1848,7 @@ Value type is integer. Default is three days. Supported value range: 1-3. -If you disable or do not configure this policy, the default behaviors will be used. +If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations @@ -1901,7 +1901,7 @@ Value type is integer. Default is three days. Supported value range: 1-3. -If you disable or do not configure this policy, the default behaviors will be used. +If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations @@ -1954,7 +1954,7 @@ Value type is integer. Default value is 7 days. Supported value range: 2 - 30. -If you disable or do not configure this policy, the default behaviors will be used. +If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations @@ -2007,7 +2007,7 @@ Value type is integer. Default value is seven days. Supported value range: 2-30. -If you disable or do not configure this policy, the default behaviors will be used. +If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: 1. No autorestart with logged on users for scheduled automatic updates installations @@ -2103,10 +2103,10 @@ The following list shows the supported values: -Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). +Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). > [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server. @@ -2164,7 +2164,7 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) The following list shows the supported values: -- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 0 (default) – Don't ignore MO download limit for apps and their updates. - 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. @@ -2217,7 +2217,7 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) The following list shows the supported values: -- 0 (default) – Do not ignore MO download limit for OS updates. +- 0 (default) – Don't ignore MO download limit for OS updates. - 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. @@ -2333,7 +2333,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Deferrals are not paused. +- 0 (default) – Deferrals aren't paused. - 1 – Deferrals are paused. @@ -2368,7 +2368,7 @@ The following list shows the supported values: -Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later. +Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you're running Windows 10, version 1703 or later. @@ -2383,7 +2383,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Feature Updates are not paused. +- 0 (default) – Feature Updates aren't paused. - 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. @@ -2476,7 +2476,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Quality Updates are not paused. +- 0 (default) – Quality Updates aren't paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. @@ -2567,7 +2567,7 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. -If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). +If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). @@ -2589,11 +2589,11 @@ Value type is a string containing a Windows product, for example, “Windows 11 -By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you are agreeing that when applying this operating system to a device, either: +By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device, either: 1. The applicable Windows license was purchased through volume licensing, or -2. That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). +2. That you're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
@@ -3212,7 +3212,7 @@ The following list shows the supported values: -This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature. +This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user can't access the "Pause updates" feature. Value type is integer. Default is 0. Supported values 0, 1. @@ -3253,7 +3253,7 @@ ADMX Info: -This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. +This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. Value type is integer. Default is 0. Supported values 0, 1. @@ -3570,7 +3570,7 @@ The following list shows the supported values: Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. -This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. +This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. @@ -3731,9 +3731,9 @@ ADMX Info: > [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy is not supported in IoT Mobile. +> Starting in Windows 10, version 1703 this policy isn't supported in IoT Mobile. -Allows the device to check for updates from a WSUS server instead of Microsoft Update. This setting is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. +Allows the device to check for updates from a WSUS server instead of Microsoft Update. This setting is useful for on-premises MDMs that need to update devices that can't connect to the Internet. Supported operations are Get and Replace. @@ -3810,12 +3810,12 @@ This setting lets you specify a server on your network to function as an interna To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. -Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +Value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. > [!NOTE] > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. -> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. +> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. +> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 7c468e27a5..3d13322718 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -19,9 +19,9 @@ manager: dansimp User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). -Even though strings are supported for well-known accounts and groups, it is better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. +Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. -Here is an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. +Here's an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. ```xml@@ -219,7 +219,7 @@ For example, the following syntax grants user rights to a specific user or group -This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. +This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it's only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. @@ -258,7 +258,7 @@ GP Info: -This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. +This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services isn't affected by this user right. > [!NOTE] > Remote Desktop Services was called Terminal Services in previous versions of Windows Server. @@ -340,7 +340,7 @@ GP Info: -This user right determines which users can log on to the computer. +This user right determines which users can sign in to the computer. > [!NOTE] > Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. @@ -430,7 +430,7 @@ This user right determines which users and groups can change the time and date o > > | Error code | Symbolic name | Error description | Header | > |----------|----------|----------|----------| -> | 0x80070032 (Hex)|ERROR_NOT_SUPPORTED|The request is not supported.| winerror.h | +> | 0x80070032 (Hex)|ERROR_NOT_SUPPORTED|The request isn't supported.| winerror.h | @@ -469,7 +469,7 @@ GP Info: -This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. +This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right to trusted users only. @@ -510,7 +510,7 @@ GP Info: -This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. +This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually doesn't need to be assigned to any users. @@ -549,7 +549,7 @@ GP Info: -This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. +This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it's not necessary to specifically assign it. @@ -588,7 +588,7 @@ GP Info: -This user right determines if the user can create a symbolic link from the computer he is logged on to. +This user right determines if the user can create a symbolic link from the computer they're signed in to. > [!CAUTION] > This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. > [!NOTE] @@ -631,9 +631,9 @@ GP Info: -This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. +This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System. > [!CAUTION] -> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. +> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. @@ -672,7 +672,7 @@ GP Info: -This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. +This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right to trusted users only. @@ -833,7 +833,7 @@ GP Info: -This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. +This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set. > [!CAUTION] > Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. @@ -919,9 +919,9 @@ Assigning this user right to a user allows programs running on behalf of that us > [!NOTE] > By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. +2) The user, in this sign-in session, created the access token by signing in to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. +Because of these factors, users don't usually need this user right. > [!WARNING] > If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run. @@ -971,7 +971,7 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* > [!WARNING] -> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers don't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. > > On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. @@ -1006,9 +1006,9 @@ GP Info: -This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. +This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users. > [!CAUTION] -> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. +> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. @@ -1086,7 +1086,7 @@ GP Info: -This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege also can view and clear the security log. +This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting doesn't allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege also can view and clear the security log. @@ -1166,7 +1166,7 @@ GP Info: This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. > [!NOTE] -> This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. +> This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 95b888306a..dd72a9ae8b 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -65,10 +65,10 @@ Automatic connection attempts - When the computer is already connected to a non-domain-based network, automatic connection attempts to domain-based networks are blocked. Manual connection attempts -- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. -- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. +- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. +- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. -If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. +If this policy setting isn't configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 2644d6a52a..f7a519d956 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -118,7 +118,7 @@ manager: dansimp -The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. +The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display the contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. @@ -162,7 +162,7 @@ ADMX Info: -Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. @@ -177,7 +177,7 @@ ADMX Info: Valid values: - 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the Account protection area in Windows Defender Security Center. @@ -210,7 +210,7 @@ Valid values: -Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -227,7 +227,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the app and browser protection area in Windows Defender Security Center. @@ -324,7 +324,7 @@ ADMX Info: -Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. @@ -339,7 +339,7 @@ ADMX Info: Valid values: - 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the Device security area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the Device security area in Windows Defender Security Center. @@ -372,10 +372,10 @@ Valid values: -Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. +Use this policy if you want Windows Defender Security Center to only display notifications that are considered critical. If you disable or don't configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. > [!NOTE] -> If Suppress notification is enabled then users will not see critical or non-critical messages. +> If Suppress notification is enabled then users won't see critical or non-critical messages. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -391,8 +391,8 @@ ADMX Info: The following list shows the supported values: -- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users.. -- 1 - (Enable) Windows Defender Security Center only display notifications which are considered critical on clients. +- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users. +- 1 - (Enable) Windows Defender Security Center only display notifications that are considered critical on clients. @@ -425,7 +425,7 @@ The following list shows the supported values: -Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -442,7 +442,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) The users can see the display of the family options area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the family options area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the family options area in Windows Defender Security Center. @@ -475,7 +475,7 @@ The following list shows the supported values: -Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -492,7 +492,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the device performance and health area in Windows Defender Security Center. @@ -525,7 +525,7 @@ The following list shows the supported values: -Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -542,7 +542,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the firewall and network protection area in Windows Defender Security Center. @@ -575,7 +575,7 @@ The following list shows the supported values: -Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices. +Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or don't configure this setting, Windows Defender Security Center notifications will display on devices. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -592,7 +592,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) The users can see the display of Windows Defender Security Center notifications. -- 1 - (Enable) The users cannot see the display of Windows Defender Security Center notifications. +- 1 - (Enable) The users can't see the display of Windows Defender Security Center notifications. @@ -628,7 +628,7 @@ The following list shows the supported values: Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. Enabled: -Users will not be shown a recommendation to update their TPM Firmware. +Users won't be shown a recommendation to update their TPM Firmware. Disabled: Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. @@ -689,7 +689,7 @@ ADMX Info: -Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area. +Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -706,7 +706,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center. -- 1 - (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center. +- 1 - (Enable) The users can't see the display of the virus and threat protection area in Windows Defender Security Center. @@ -739,7 +739,7 @@ The following list shows the supported values: -Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area. +Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or don't configure this setting, local users can make changes in the exploit protection settings area. Value type is integer. Supported operations are Add, Get, Replace and Delete. @@ -756,7 +756,7 @@ ADMX Info: The following list shows the supported values: - 0 - (Disable) Local users are allowed to make changes in the exploit protection settings area. -- 1 - (Enable) Local users cannot make changes in the exploit protection settings area. +- 1 - (Enable) Local users can't make changes in the exploit protection settings area. @@ -789,7 +789,7 @@ The following list shows the supported values: -The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. +The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. @@ -833,7 +833,7 @@ ADMX Info: -Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. +Enable this policy to display your company name and contact options in the notifications. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -883,7 +883,7 @@ The following list shows the supported values: -Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification. +Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center won't display the contact card fly out notification. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -899,7 +899,7 @@ ADMX Info: The following list shows the supported values: -- 0 - (Disable) Do not display the company name and contact options in the card fly out notification. +- 0 - (Disable) Don't display the company name and contact options in the card fly out notification. - 1 - (Enable) Display the company name and contact options in the card fly out notification. @@ -1143,7 +1143,7 @@ ADMX Info: -The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. +The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -1187,9 +1187,9 @@ ADMX Info: -The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. +The help portal URL that is displayed to users. The default browser is used to initiate this action. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device won't display contact options. -Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. Supported operations are Add, Get, Replace, and Delete. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 5fd902e1a7..4998d7eaf9 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -83,15 +83,15 @@ manager: dansimp This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. -This occurs only if the last interactive user did not sign out before the restart or shutdown. +This scenario occurs only if the last interactive user didn't sign out before the restart or shutdown. If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns. -If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. +If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot. -If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. +If you disable this policy setting, the device doesn't configure automatic sign in. The user’s lock screen apps aren't restarted after the system restarts. @@ -142,17 +142,17 @@ ADMX Info: -This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured. +This policy setting controls the configuration under which an automatic restart, sign in, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign in doesn't occur and this policy need not be configured. If you enable this policy setting, you can choose one of the following two options: -- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +- Enabled if BitLocker is on and not suspended: Specifies that automatic sign in and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - - The device does not have TPM 2.0 and PCR7 - - The device does not use a TPM-only protector -- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + - The device doesn't have TPM 2.0 and PCR7 + - The device doesn't use a TPM-only protector +- Always Enabled: Specifies that automatic sign in happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign in should only be run under this condition if you're confident that the configured device is in a secure physical location. -If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. +If you disable or don't configure this setting, automatic sign in defaults to the “Enabled if BitLocker is on and not suspended” behavior. @@ -207,7 +207,7 @@ This policy setting allows you to prevent app notifications from appearing on th If you enable this policy setting, no app notifications are displayed on the lock screen. -If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. +If you disable or don't configure this policy setting, users can choose which apps display notifications on the lock screen. @@ -249,13 +249,13 @@ ADMX Info: -This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. +This policy setting allows you to control whether anyone can interact with available networks UI on the sign-in screen. -If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. +If you enable this policy setting, the PC's network connectivity state can't be changed without signing into Windows. If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. -Here is an example to enable this policy: +Here's an example to enable this policy: ```xml @@ -320,16 +320,16 @@ ADMX Info: -This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This view applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. -If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services. +If you disable this policy setting, users don't see the animation and Microsoft account users don't see the opt-in prompt for services. -If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation. +If you don't configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting isn't configured, users new to this computer don't see the animation. > [!NOTE] -> The first sign-in animation is not displayed on Server, so this policy has no effect. +> The first sign-in animation isn't displayed on Server, so this policy has no effect. @@ -385,7 +385,7 @@ This policy setting allows local users to be enumerated on domain-joined compute If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. -If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. +If you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers. @@ -427,7 +427,7 @@ ADMX Info: -This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. +This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or don't configure this policy setting, the Switch account button is accessible to the user in the three locations. @@ -446,7 +446,7 @@ The following list shows the supported values: -To validate on Desktop, do the following: +To validate on Desktop, do the following steps: 1. Enable policy. 2. Verify that the Switch account button in Start is hidden. diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index b3c4462090..02edfd6f6e 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -75,9 +75,9 @@ This policy setting allows the IT admin to enable or disable audio input to the > [!NOTE] > There may be security implications of exposing host audio input to the container. -If this policy is not configured, end-users get the default behavior (audio input enabled). +If this policy isn't configured, end-users get the default behavior (audio input enabled). -If audio input is disabled, a user will not be able to enable audio input from their own configuration file. +If audio input is disabled, a user won't be able to enable audio input from their own configuration file. If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure. @@ -142,9 +142,9 @@ Available in the latest Windows 10 insider preview build. This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox. -If this policy is not configured, end-users get the default behavior (clipboard redirection enabled. +If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled. -If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file. +If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file. If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure. @@ -209,9 +209,9 @@ Available in the latest Windows 10 insider preview build. This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network. -If this policy is not configured, end-users get the default behavior (networking enabled). +If this policy isn't configured, end-users get the default behavior (networking enabled). -If networking is disabled, a user will not be able to enable networking from their own configuration file. +If networking is disabled, a user won't be able to enable networking from their own configuration file. If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure. @@ -274,9 +274,9 @@ Available in the latest Windows 10 insider preview build. This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. -If this policy is not configured, end-users get the default behavior (printer sharing disabled). +If this policy isn't configured, end-users get the default behavior (printer sharing disabled). -If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file. +If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file. If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure. @@ -343,9 +343,9 @@ This policy setting allows the IT admin to enable or disable virtualized GPU for > [!NOTE] > Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox. -If this policy is not configured, end-users get the default behavior (vGPU is disabled). +If this policy isn't configured, end-users get the default behavior (vGPU is disabled). -If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file. +If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file. If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure. @@ -412,9 +412,9 @@ This policy setting allows the IT admin to enable or disable video input to the > [!NOTE] > There may be security implications of exposing host video input to the container. -If this policy is not configured, users get the default behavior (video input disabled). +If this policy isn't configured, users get the default behavior (video input disabled). -If video input is disabled, users will not be able to enable video input from their own configuration file. +If video input is disabled, users won't be able to enable video input from their own configuration file. If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index d61b982f66..ac5e6d69fd 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -84,7 +84,7 @@ This policy setting allows you to turn off the Wireless Display multicast DNS se The following list shows the supported values: -- 0 - Do not allow +- 0 - Don't allow - 1 - Allow @@ -124,7 +124,7 @@ This policy setting allows you to turn off discovering the display service adver The following list shows the supported values: -- 0 - Do not allow +- 0 - Don't allow - 1 - Allow @@ -160,9 +160,9 @@ The following list shows the supported values: This policy setting allows you to disable the infrastructure movement detection feature. -If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. +If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure. -If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. +If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session. The default value is 1. @@ -171,7 +171,7 @@ The default value is 1. The following list shows the supported values: -- 0 - Do not allow +- 0 - Don't allow - 1 (Default) - Allow @@ -211,7 +211,7 @@ This policy allows you to turn off projection from a PC. The following list shows the supported values: -- 0 - your PC cannot discover or project to other devices. +- 0 - your PC can't discover or project to other devices. - 1 - your PC can discover and project to other devices @@ -251,7 +251,7 @@ This policy allows you to turn off projection from a PC over infrastructure. The following list shows the supported values: -- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. +- 0 - your PC can't discover or project to other infrastructure devices, although it's possible to discover and project over WiFi Direct. - 1 - your PC can discover and project to other devices over infrastructure. @@ -287,7 +287,7 @@ The following list shows the supported values: Allow or disallow turning off the projection to a PC. -If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. +If you set it to 0 (zero), your PC isn't discoverable and you can't project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. Value type is integer. @@ -303,7 +303,7 @@ ADMX Info: The following list shows the supported values: -- 0 - projection to PC is not allowed. Always off and the user cannot enable it. +- 0 - projection to PC isn't allowed. Always off and the user can't enable it. - 1 (default) - projection to PC is allowed. Enabled only above the lock screen. @@ -343,7 +343,7 @@ This policy setting allows you to turn off projection to a PC over infrastructur The following list shows the supported values: -- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. +- 0 - your PC isn't discoverable and other devices can't project to it over infrastructure, although it's possible to project to it over WiFi Direct. - 1 - your PC is discoverable and other devices can project to it over infrastructure. @@ -419,7 +419,7 @@ The following list shows the supported values: Allow or disallow requirement for a PIN for pairing. -If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. +If you turn on this policy, the pairing ceremony for new devices will always require a PIN. If you turn off this policy or don't configure it, a PIN isn't required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. Value type is integer. @@ -435,7 +435,7 @@ ADMX Info: The following list shows the supported values: -- 0 (default) - PIN is not required. +- 0 (default) - PIN isn't required. - 1 - PIN is required. diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md index 8cea583448..33a8847c7f 100644 --- a/windows/client-management/mdm/proxy-csp.md +++ b/windows/client-management/mdm/proxy-csp.md @@ -22,9 +22,9 @@ The PROXY configuration service provider is used to configure proxy connections. This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -For the PROXY CSP, you cannot use the Replace command unless the node already exists. +For the PROXY CSP, you can't use the Replace command unless the node already exists. -The following shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. +The following example shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider. ``` ./Vendor/MSFT/Proxy @@ -62,9 +62,9 @@ Root node for the proxy connection. ***ProxyName*** Defines the name of a proxy connection. -It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). +It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). -The addition, update, and deletion of this sub-tree of nodes have to be specified in a single atomic transaction. +The addition, update, and deletion of this subtree of nodes have to be specified in a single atomic transaction. ***ProxyName*/PROXYID** Specifies the unique identifier of the proxy connection. @@ -93,7 +93,7 @@ Node for port information. ***ProxyName*/Ports/_PortName_** Defines the name of a port. -It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names. +It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names. ***ProxyName*/Ports/*PortName*/PortNbr** Specifies the port number to be associated with the parent port. @@ -104,7 +104,7 @@ Node for services information. ***ProxyName*/Ports/Services/_ServiceName_** Defines the name of a service. -It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names. +It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names. ***ProxyName*/Ports/Services/*ServiceName*/ServiceName** Specifies the protocol to be associated with the parent port. @@ -117,7 +117,7 @@ Node for connection reference information ***ProxyName*/ConRefs/_ConRefName_** Defines the name of a connection reference. -It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names. +It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names. ***ProxyName*/ConRefs/*ConRefName*/ConRef** Specifies one single connectivity object associated with the proxy connection. diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 8a68f85050..cc8752d76b 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -21,7 +21,7 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. +The following example shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol isn't supported by this configuration service provider. ```console PXLOGICAL @@ -46,7 +46,7 @@ PXLOGICAL ``` -The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. +The following example shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol isn't supported by this configuration service provider. ```console PXLOGICAL @@ -74,17 +74,17 @@ PXLOGICAL **PXPHYSICAL** Defines a group of logical proxy settings. -The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It is required when updating and deleting existing NAPs and proxies and must have its value set to 1. +The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It's required when updating and deleting existing NAPs and proxies and must have its value set to 1. **DOMAIN** Specifies the domain associated with the proxy (for example, "\*.com"). -A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy. +A Windows device supports only one proxy that doesn't have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy. **NAME** Specifies the name of the logical proxy. -When a list of proxies is displayed to the user they are displayed together in a single line, so the length of this value should be short for readability. +When a list of proxies is displayed to the user they're displayed together in a single line, so the length of this value should be short for readability. **PORT** Defines the bindings between a port number and one or more protocols or services. @@ -94,7 +94,7 @@ This configuration service provider can accept a maximum of two ports per physic **PORTNBR** Specifies the port number associated with some services on this proxy. -If the PORTNBR is 80 or 443, or the PORT characteristic is missing, it is treated as an HTTP proxy. +If the PORTNBR is 80 or 443, or the PORT characteristic is missing, it's treated as an HTTP proxy. **SERVICE** Specifies the service associated with the port number. @@ -104,7 +104,7 @@ Windows supports accepting WAP push connectionless sessions over a Short Message **PUSHENABLED** Specifies whether or not push operations are enabled. -If this element is used in PXLOGICAL, it applies to all of the PXPHYSICAL elements embedded in the PXLOGICAL element. A value of "0" indicates that the proxy does not support push operations. A value of "1" indicates that the proxy supports push operations. +If this element is used in PXLOGICAL, it applies to all of the PXPHYSICAL elements embedded in the PXLOGICAL element. A value of "0" indicates that the proxy doesn't support push operations. A value of "1" indicates that the proxy supports push operations. **PROXY-ID** Used during initial bootstrapping. Specifies the unique identifier of the logical proxy. @@ -120,12 +120,12 @@ Specifies whether or not the physical proxies in this logical proxy are privileg **PXPHYSICAL** Defines a group of physical proxy settings associated with the parent logical proxy. -The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It is required when updating and deleting existing NAPs and proxies and must have its value set to 1. +The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It's required when updating and deleting existing NAPs and proxies and must have its value set to 1. **PHYSICAL-PROXY-ID** Used during initial bootstrapping. Specifies the identifier of the physical proxy. -When a list of proxies is displayed to the user they are displayed together in a single line, so the length of this value should be short for readability. +When a list of proxies is displayed to the user they're displayed together in a single line, so the length of this value should be short for readability. ***PHYSICAL-PROXY-ID*** Used during bootstrapping updates. Specifies the identifier of the physical proxy. @@ -150,7 +150,7 @@ If **TO-NAPID** is used, the NAP whose **NAPID** is referred to by **TO-NAPID** The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. -These features are available only for the device technique. In addition, the parameter-query and characteristic-query features are not supported for all PXPHYSICAL proxy parameters for all PXADDR types. All parameters can be queried when the PXPHYSICAL proxy PXADDRType is IPv4. For example, if a mobile operator queries the TO-NAPID parameter of a PXPHYSICAL proxy and the PXADDR Type is E164, a noparm is returned. +These features are available only for the device technique. In addition, the parameter-query and characteristic-query features aren't supported for all PXPHYSICAL proxy parameters for all PXADDR types. All parameters can be queried when the PXPHYSICAL proxy PXADDRType is IPv4. For example, if a mobile operator queries the TO-NAPID parameter of a PXPHYSICAL proxy and the PXADDR Type is E164, a noparm is returned. |Feature|Available| |--- |--- | diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index 5f8bb0e5da..89bfa7164d 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -37,7 +37,7 @@ The following parameters may be specified in the request URI. ### Response body -The response body contain [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). +The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). |Error code|Description|Retry|Data field|Details| |--- |--- |--- |--- |--- | diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index f799b48992..0d32ea3135 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -29,7 +29,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent  -3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal. +3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. You're taken to the Azure Active Directory portal.  diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index c559340720..51ce1f0fd5 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -17,7 +17,7 @@ ms.date: 06/26/2017 The RemoteFind configuration service provider retrieves the location information for a particular device. -The following shows the RemoteFind configuration service provider management object in tree format as used by OMA Client Provisioning. +The following example shows the RemoteFind configuration service provider management object in tree format as used by OMA Client Provisioning. ``` ./Vendor/MSFT RemoteFind @@ -35,26 +35,26 @@ RemoteFind **DesiredAccuracy** Optional. The node accepts the requested radius value in meters. Valid values for accuracy are any value between 1 and 1000 meters. -The default value is 50. Replacing this value only replaces it for the current session. The value is not retained. +The default value is 50. Replacing this value only replaces it for the current session. The value isn't retained. -Supported operations are Replace and Get. The Add command is not supported. +Supported operations are Replace and Get. The Add command isn't supported. **Timeout** Optional. Value is DWORD in seconds. -The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value is not retained. +The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value isn't retained. -Supported operations are Replace and Get. The Add command is not supported. +Supported operations are Replace and Get. The Add command isn't supported. **MaximumAge** Optional. The value represents the desired time window in minutes that the server will accept a successful location retrieval. The node enables the server to set the requested age value in 100 nanoseconds. Valid values for accuracy include any integer value between 0 and 1440 minutes. -The default value is 60. Replacing this value only replaces it for the current session. The value is not retained. +The default value is 60. Replacing this value only replaces it for the current session. The value isn't retained. -Supported operations are Replace and Get. The Add command is not supported. +Supported operations are Replace and Get. The Add command isn't supported. **Location** -Required. Nodes under this path must be queried atomically in order to succeed. This is to prevent servers from querying incomplete sets of data. +Required. Nodes under this path must be queried atomically in order to succeed. This condition is to prevent servers from querying incomplete sets of data. **Latitude** Required. Provides the latitude of the last successful remote find. diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 3b2af238ea..1ff78fcccf 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -17,7 +17,7 @@ ms.date: 08/13/2018 The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. -The following shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. +The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. ``` ./Vendor/MSFT RemoteWipe @@ -60,7 +60,7 @@ Added in Windows 10, version 1709. Exec on this node will perform a remote rese Added in Windows 10, version 1809. Node for the Autopilot Reset operation. **AutomaticRedeployment/doAutomaticRedeployment** -Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. +Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This node works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. **AutomaticRedeployment/LastError** Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index 196633a0c4..3167a33adc 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -48,13 +48,13 @@ Interior node for retrieving the security auditing logs. This node is only for m --> **RetrieveByTimeRange** -Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime are not specified, then the values are interpreted as either first existing or last existing time. +Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime aren't specified, then the values are interpreted as either first existing or last existing time. Here are the other possible scenarios: -- If the StartTime and StopTime are not specified, then it returns all existing logs. -- If the StopTime is specified, but the StartTime is not specified, then all logs that exist before the StopTime are returned. -- If the StartTime is specified, but the StopTime is not specified, then all that logs that exist from the StartTime are returned. +- If the StartTime and StopTime aren't specified, then it returns all existing logs. +- If the StopTime is specified, but the StartTime isn't specified, then all logs that exist before the StopTime are returned. +- If the StartTime is specified, but the StopTime isn't specified, then all that logs that exist from the StartTime are returned. **RetrieveByCount** Interior node for retrieving a specified number of logs from the StartTime. The StartTime is expressed in ISO 8601 format. You can set the number of logs required by setting LogCount and StartTime. It returns the specified number of logs or less, if the total number of logs is less than LogCount. @@ -64,7 +64,7 @@ Contains the reporting logs. Value type is XML. -Supported operations is Get. +Supported operation is Get. **StartTime** Specifies the starting time for retrieving logs. @@ -81,7 +81,7 @@ Value type is string. Use ISO 8601 format. Supported operations are Get and Replace. **Type** -Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this to retrieve the WIP learning logs. +Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the WIP learning logs. Value type is integer. diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 643e41cb54..3b298a1606 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -21,7 +21,7 @@ The RootCATrustedCertificates configuration service provider enables the enterpr > The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**. -The following shows the RootCATrustedCertificates configuration service provider in tree format. +The following example shows the RootCATrustedCertificates configuration service provider in tree format. Detailed specification of the principal root nodes: ``` @@ -82,7 +82,7 @@ Node for trusted publisher certificates. Node for trusted people certificates. **RootCATrustedCertificates/UntrustedCertificates** -Added in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. +Added in Windows 10, version 1803. Node for certificates that aren't trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. **_CertHash_** Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. This node is common for all the principal root nodes. The supported operations are Get and Delete. @@ -90,19 +90,19 @@ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certifi The following nodes are all common to the **_CertHash_** node: **/EncodedCertificate** -Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace. +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace. **/IssuedBy** -Returns the name of the certificate issuer. This is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get. +Returns the name of the certificate issuer. This name is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get. **/IssuedTo** -Returns the name of the certificate subject. This is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get. +Returns the name of the certificate subject. This name is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get. **/ValidFrom** -Returns the starting date of the certificate's validity. This is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get. +Returns the starting date of the certificate's validity. This date is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get. **/ValidTo** -Returns the expiration date of the certificate. This is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get. +Returns the expiration date of the certificate. This date is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get. **/TemplateName** Returns the certificate template name. The only supported operation is Get. diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 1911fa064d..bdc2932777 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -16,7 +16,7 @@ ms.date: 06/26/2017 The SecureAssessment configuration service provider is used to provide configuration information for the secure assessment browser. -The following shows the SecureAssessment configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. +The following example shows the SecureAssessment configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. ``` ./Vendor/MSFT SecureAssessment diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index b92b03ae67..5664077e3e 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -22,9 +22,9 @@ The SecurityPolicy configuration service provider is used to configure security -For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists. +For the SecurityPolicy CSP, you can't use the Replace command unless the node already exists. -The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. +The following example shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. ```console ./Vendor/MSFT @@ -65,7 +65,7 @@ The following security policies are supported. - **PolicyID**: 4111 | Hex:100f - **Policy name**: OTA Provisioning Policy - - **Policy description**: This setting determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in 4141, 4142, and 4143 policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client Provisioning messages are accepted by the device, if policy 4143 is set to 4096 (SECROLE_ANY_PUSH_SOURCE) for an carrier-unlocked device, policy 4111 must also have the SECROLE_ANY_PUSH_SOURCE role set. + - **Policy description**: This setting determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in 4141, 4142, and 4143 policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client Provisioning messages are accepted by the device, if policy 4143 is set to 4096 (SECROLE_ANY_PUSH_SOURCE) for a carrier-unlocked device, policy 4111 must also have the SECROLE_ANY_PUSH_SOURCE role set. - Default value: 384 (SECROLE_OPERATOR_TPS | SECROLE_KNOWN_PPG) - Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_OPERATOR_TPS @@ -74,7 +74,7 @@ The following security policies are supported. - **Policy description**: This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed. - Default value: 1 - Supported values: - - 0: Routing of WSP notifications is not allowed. + - 0: Routing of WSP notifications isn't allowed. - 1: Routing of WSP notifications is allowed. - **PolicyID**: 4132 | Hex:1024 @@ -83,13 +83,13 @@ The following security policies are supported. - Default value: 0 - Supported values: - 0: The device prompts a UI to get user confirmation when the OTA WAP provisioning message is signed purely with network pin. - - 1: There is no user prompt. + - 1: There's no user prompt. - **PolicyID**: 4141 | Hex:102d - **Policy name**: OMA CP NETWPIN Policy - **Policy description**: This setting determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted. - Default value: 0 - - Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE , SECROLE_OPERATOR_TPS + - Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_OPERATOR_TPS - **PolicyID**: 4142 | Hex:102e - **Policy name**: OMA CP USERPIN Policy @@ -201,7 +201,7 @@ The following table shows the Microsoft custom elements that this Configuration |Elements|Available| |--- |--- | |parm-query|Yes| -|noparm|Yes. If this is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).| +|noparm|Yes. If this element is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).| diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index 3880906b71..76c6a97981 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -21,13 +21,13 @@ The following list shows the general server requirements for using OMA DM to man - The OMA DM server must support the OMA DM v1.1.2 or later protocol. -- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate is not issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. +- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. - To authenticate the client at the application level, you must use either Basic or MD5 client authentication. - The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. -- The MD5 binary nonce is send over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. +- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index fb2d0fb906..7f8d360143 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -17,7 +17,7 @@ ms.date: 01/16/2019 The SharedPC configuration service provider is used to configure settings for Shared PC usage. -The following shows the SharedPC configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. +The following example shows the SharedPC configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. ``` ./Vendor/MSFT SharedPC @@ -133,12 +133,12 @@ Configures when accounts are deleted. The supported operations are Add, Get, Replace, and Delete. -For Windows 10, version 1607, here is the list shows the supported values: +For Windows 10, version 1607, here's the list shows the supported values: - 0 - Delete immediately. - 1 (default) - Delete at disk space threshold. -For Windows 10, version 1703, here is the list of supported values: +For Windows 10, version 1703, here's the list of supported values: - 0 - Delete immediately - 1 - Delete at disk space threshold @@ -154,7 +154,7 @@ Sets the percentage of disk space remaining on a PC before cached accounts will The default value is Not Configured. Its default value in the SharedPC provisioning package is 25. -For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under half of the deletion threshold and disk space is very low, regardless of whether the PC is actively in use or not. +For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not. The supported operations are Add, Get, Replace, and Delete. @@ -166,7 +166,7 @@ Sets the percentage of available disk space a PC should have before it stops del The default value is Not Configured. The default value in the SharedPC provisioning package is 25. -For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. +For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under the deletion threshold and disk space is low, regardless whether the PC is actively in use or not. The supported operations are Add, Get, Replace, and Delete. @@ -187,7 +187,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. **KioskModeUserTileDisplayText** -Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. +Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -195,14 +195,14 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. **InactiveThreshold** -Added in Windows 10, version 1703. Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. +Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days. The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. The default in the SharedPC provisioning package is 30. **MaxPageFileSizeMB** -Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. +Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. > [!NOTE] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index ee78eb1927..573988546e 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -29,7 +29,7 @@ The following table shows the OMA DM versions that are supported. ## File format -The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification. +The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain extra XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification. ```xml @@ -107,7 +107,7 @@ SyncBody contains one or more DM commands. The SyncBody can contain multiple DM **Code example** -The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command. +The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This command is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command. ```xml @@ -124,7 +124,7 @@ The following example shows the body component of a DM message. In this example, ``` -When using SyncML for OMA DM provisioning, a LocURI in SyncBody can have a "." as a valid segment name only in the first segment. However, a "." is not a valid segment name for the other segments. For example, the following LocURI is not valid because the segment name of the seventh segment is a ".". +When SyncML for OMA DM provisioning is being used, a LocURI in SyncBody can have a "." as a valid segment name only in the first segment. However, a "." isn't a valid segment name for the other segments. For example, the following LocURI isn't valid because the segment name of the seventh segment is a ".". ```xml./Vendor/MSFT/Registry/HKLM/Security/./Test diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 32af3e680b..61cb297fdf 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -27,14 +27,14 @@ The SUPL configuration service provider is used to configure the location client - H-SLP server certificate. - Positioning method. - Version of the protocol to use by default. - - MCC/MNC value pairs which are used to specify which networks' UUIC the SUPL account matches. + - MCC/MNC value pairs that are used to specify which networks' UUIC the SUPL account matches. - **V2 UPL**: - - Address of the server — a mobile positioning center for non-trusted mode. + - Address of the server—a mobile positioning center for non-trusted mode. - The positioning method used by the MPC for non-trusted mode. The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted, a new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used. -The following shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning. +The following example shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. @@ -76,12 +76,12 @@ SUPL Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. **AppID** -Required. The AppID for SUPL is automatically set to `"ap0004"`. This is a read-only value. +Required. The AppID for SUPL is automatically set to `"ap0004"`. This value is a read-only value. **Addr** Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format *server*: *port*. -If this value is not specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3. +If this value isn't specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -92,9 +92,9 @@ Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0 Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. **MCCMNCPairs** -Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the device uses the default location service and does not use SUPL. +Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL. -This value is a string with the format "(X1,Y1)(X2,Y2)…(Xn,Yn)", in which `X` is a MCC and `Y` is an MNC. +This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -146,7 +146,7 @@ When the location toggle is set to Off and this value is set to 1, the following However, if `privacyOverride` is set in the message, the location will be returned. -When the location toggle is set to Off and this value is set to 0, the location toggle does not prevent SUPL network-initiated requests from working. +When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -159,7 +159,7 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. **RootCertificate** -Required. Specifies the root certificate for the H-SLP server. Windows does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. +Required. Specifies the root certificate for the H-SLP server. Windows doesn't support a non-secure mode. If this node isn't included, the configuration service provider will fail but may not return a specific error. **RootCertificate/Name** Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. @@ -265,7 +265,7 @@ When the location toggle is set to Off and this value is set to 1, the following However, if `privacyOverride` is set in the message, the location will be returned. -When the location toggle is set to Off and this value is set to 0, the location toggle does not prevent SUPL network-initiated requests from working. +When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -283,7 +283,7 @@ Optional. Integer. Defines the minimum interval of time in seconds between mobil ## Unsupported Nodes -The following optional nodes are not supported on Windows devices. +The following optional nodes aren't supported on Windows devices. - ProviderID @@ -299,14 +299,14 @@ The following optional nodes are not supported on Windows devices. - AddrType -If the configuration application tries to set, delete or query these nodes, a response indicating this node is not implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes. +If the configuration application tries to set, delete or query these nodes, a response indicating this node isn't implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes. -If a mobile operator requires the communication with the H-SLP to take place over a specific connection rather than a default cellular connection, then this must be configured by using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) and the [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) to map the H-SLP server with the required connection. +If a mobile operator requires the communication with the H-SLP to take place over a specific connection rather than a default cellular connection, then this configuration must be done by using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) and the [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) to map the H-SLP server with the required connection. ## OMA Client Provisioning examples -Adding new configuration information for a H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. +Adding new configuration information for an H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index f900bbac72..1e276239dd 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -16,7 +16,7 @@ ms.date: 07/28/2017 The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. -The following shows the SurfaceHub CSP management objects in tree format. +The following example shows the SurfaceHub CSP management objects in tree format. ``` ./Vendor/MSFT SurfaceHub @@ -147,12 +147,12 @@ SurfaceHub 4. Execute the ValidateAndCommit node. **DeviceAccount/DomainName** -Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. +
Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace. **DeviceAccount/UserName** -
Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. +
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace. @@ -208,7 +208,7 @@ SurfaceHub **DeviceAccount/ErrorContext** -If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values: +If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values: | ErrorContext value | Stage where error occurred | Description and suggestions | | --- | --- | --- | @@ -242,7 +242,7 @@ The data type is integer. Supported operation is Get.
Added in Windows 10, version 1703. Node for the Skype for Business settings. **InBoxApps/SkypeForBusiness/DomainName** -
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online. +
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
The data type is string. Supported operation is Get and Replace. @@ -255,7 +255,7 @@ The data type is integer. Supported operation is Get.
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +
Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace. @@ -273,17 +273,17 @@ The data type is integer. Supported operation is Get.
Node for the Whiteboard app settings. **InBoxApps/Whiteboard/SharingDisabled** -
Invitations to collaborate from the Whiteboard app are not allowed. +
Invitations to collaborate from the Whiteboard app aren't allowed.
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Whiteboard/SigninDisabled** -
Sign-ins from the Whiteboard app are not allowed. +
Sign-ins from the Whiteboard app aren't allowed.
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Whiteboard/TelemeteryDisabled** -
Telemetry collection from the Whiteboard app is not allowed. +
Telemetry collection from the Whiteboard app isn't allowed.
The data type is boolean. Supported operation is Get and Replace. @@ -430,21 +430,21 @@ The data type is integer. Supported operation is Get.
The data type is boolean. Supported operation is Get and Replace. **Properties/ProxyServers** -
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). +
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. +
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
The data type is boolean. Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles**
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. +
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
The data type is boolean. Supported operation is Get and Replace. @@ -452,7 +452,7 @@ The data type is integer. Supported operation is Get.
Node for the Microsoft Operations Management Suite. **MOMAgent/WorkspaceID** -
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. +
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
The data type is string. Supported operation is Get and Replace. diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index ea7fed9759..da5516f990 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -26,11 +26,11 @@ Depending on the specific category of the settings that they control (OS or appl - OS settings: Computer Configuration/Administrative Templates - Application settings: User Configuration/Administrative Templates -In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required. +In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are applied to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), isn't required. -An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. +An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. -Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\
`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](./policy-configuration-service-provider.md). +Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\ `, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](./policy-configuration-service-provider.md). @@ -62,14 +62,14 @@ The following diagram shows the settings for the "Publishing Server 2 Settings"  -Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ` `. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every ` ` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol. +Most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ` `. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every ` ` element and ID attribute in the ADMX policy definition, there must be a corresponding `` element and ID attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol. > [!IMPORTANT] > Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc. For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](/previous-versions/windows/desktop/Policy/admx-schema). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](/previous-versions/windows/desktop/Policy/element-elements)). -For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you will find the following occurrences: +For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you'll find the following occurrences: Enabling a policy example: ```XML @@ -85,7 +85,7 @@ Appv.admx file: ## ADMX policy examples -The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ### Enabling a policy @@ -231,13 +231,13 @@ The following SyncML examples describe how to set a MDM policy that is defined b This section describes sample SyncML for the various ADMX elements like Text, Multi-Text, Decimal, Boolean, and List. -### How a Group Policy policy category path and name are mapped to a MDM area and policy name +### How a Group Policy policy category path and name are mapped to an MDM area and policy name -Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. +Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]// ` -Note that the data payload of the SyncML needs to be encoded so that it does not conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) +The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) **Snippet of manifest for AppVirtualization area:** @@ -306,7 +306,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ### MultiText Element -The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. Note that it is expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) +The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) ```XML List Element (and its variations) -The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It is best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This will give you an idea of the way the name/value pairs are stored to express it through SyncML. +The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location will give you an idea of the way the name/value pairs are stored to express it through SyncML. > [!NOTE] -> It is expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``). +> It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``). -Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It is expected that the MDM server manages the name/value pairs. See below for a simple write up of Group Policy List. +Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. See below for a simple write-up of Group Policy List. **ADMX file: inetres.admx** diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 186d8823ae..1904740772 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -19,7 +19,7 @@ The UnifiedWriteFilter (UWF) configuration service provider enables the IT admin > **Note** The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education. -The following shows the UWF configuration service provider in tree format. +The following example shows the UWF configuration service provider in tree format. ``` ./Vendor/MSFT UnifiedWriteFilter @@ -114,12 +114,12 @@ Setting the value To “move” swapfile to another volume, set the SwapfileSize property on that other volume's CSP note to non-zero. -Currently SwapfileSize should not be relied for determining or controlling the overlay size, +Currently SwapfileSize shouldn't be relied for determining or controlling the overlay size, **CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize** should be used for that purpose. -:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting."::: +:::image type="content" source="images/overlaysetting.png" alt-text="The overlay setting."::: > [!NOTE] > Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes. @@ -141,12 +141,12 @@ Required. Indicates the maximum cache size, in megabytes, of the overlay in the The only supported operation is Get. **CurrentSession/PersisitDomainSecretKey** -Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. +Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart. The only supported operation is Get. **CurrentSession/PersistTSCAL** -Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. +Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart. The only supported operation is Get. @@ -180,7 +180,7 @@ Required. Indicates the type of binding that the volume uses in the current sess The only supported operation is Get. **CurrentSession/Volume/*Volume*/DriveLetter** -Required. The drive letter of the volume. If the volume does not have a drive letter, this value is NULL. +Required. The drive letter of the volume. If the volume doesn't have a drive letter, this value is NULL. The only supported operation is Get. @@ -203,7 +203,7 @@ Required. This method deletes the specified file and commits the deletion to the Supported operations are Get and Execute. **CurrentSession/ShutdownPending** -Required. This value is True if the system is pending on shutdown. Otherwise, it is False. +Required. This value is True if the system is pending on shutdown. Otherwise, it's False. The only supported operation is Get. @@ -243,12 +243,12 @@ Required. Indicates the maximum cache size, in megabytes, of the overlay for the Supported operations are Get and Replace. **NextSession/PersisitDomainSecretKey** -Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. +Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart. Supported operations are Get and Replace. **NextSession/PersistTSCAL** -Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. +Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart. Supported operations are Get and Replace. @@ -286,7 +286,7 @@ Required. Indicates the type of binding that the volume uses in the next session Supported operations are Get and Replace. **NextSession/Volume/*Volume*/DriveLetter** -The drive letter of the volume. If the volume does not have a drive letter, this value is NULL. +The drive letter of the volume. If the volume doesn't have a drive letter, this value is NULL. The only supported operation is Get. diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index c57a52f15f..c728cdb027 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -19,7 +19,7 @@ The Update configuration service provider enables IT administrators to manage an > [!NOTE] > The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. -The following shows the Update configuration service provider in tree format. +The following example shows the Update configuration service provider in tree format. ``` ./Vendor/MSFT/Update @@ -62,9 +62,9 @@ The following shows the Update configuration service provider in tree format. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. - The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. @@ -74,7 +74,7 @@ The following shows the Update configuration service provider in tree format. **ApprovedUpdates/_Approved Update Guid_**
Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add. @@ -130,7 +130,7 @@ The following shows the Update configuration service provider in tree format.
Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved. +
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
Supported operation is Get. @@ -193,7 +193,7 @@ Added in Windows 10, version 1803. Roll back latest Quality Update, if the machi - Condition 2: Device must be in a Paused State - Condition 3: Device must have the Latest Quality Update installed on the device (Current State) -If the conditions are not true, the device will not Roll Back the Latest Quality Update. +If the conditions aren't true, the device won't Roll Back the Latest Quality Update. **Rollback/FeatureUpdate** Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions: @@ -206,7 +206,7 @@ Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machi > [!NOTE] > This only works for General Availability Channel Targeted devices. -If the conditions are not true, the device will not Roll Back the Latest Feature Update. +If the conditions aren't true, the device won't Roll Back the Latest Feature Update. **Rollback/QualityUpdateStatus** Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation. diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index dc580c2252..7dee32b407 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,6 +1,6 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider -description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the WMI Bridge Provider. +description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. ms.assetid: 238D45AD-3FD8-46F9-B7FB-6AEE42BE4C08 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 06/26/2017 # Using PowerShell scripting with the WMI Bridge Provider -This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). +This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). ## Configuring per-device policy settings @@ -89,7 +89,7 @@ class MDM_Policy_User_Config01_Authentication02 -If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which is not supported in native PowerShell cmdlets. +If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets. > **Note** All commands must executed under local system. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 4f5fc988ac..07dbd492dc 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -20,20 +20,20 @@ The VPNv2 configuration service provider allows the mobile device management (MD Here are the requirements for this CSP: - VPN configuration commands must be wrapped in an Atomic block in SyncML. -- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. +- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. - Instead of changing individual properties, follow these steps to make any changes: - Send a Delete command for the ProfileName to delete the entire profile. - Send the entire profile again with new values wrapped in an Atomic block. - In certain conditions you can change some properties directly, but we do not recommend it. + In certain conditions you can change some properties directly, but we don't recommend it. The XSDs for all EAP methods are shipped in the box and can be found at the following locations: - `C:\Windows\schemas\EAPHost` - `C:\Windows\schemas\EAPMethods` -The following shows the VPNv2 configuration service provider in tree format. +The following example shows the VPNv2 configuration service provider in tree format. ``` ./Vendor/MSFT @@ -332,7 +332,7 @@ Supported operations include Get, Add, and Delete. Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId -A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. +A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers. Supported operations include Get, Add, Replace, and Delete. @@ -340,35 +340,35 @@ Supported operations include Get, Add, Replace, and Delete. App Node under the Row Id. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id** -App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore cannot be specified in the get only App/Type field +App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore can't be specified in the get only App/Type field **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type** -Returns the type of **App/Id**. This value can be either of the following: +Returns the type of **App/Id**. This value can be either of the following values: -- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. -- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. +- PackageFamilyName - When this value is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. +- FilePath - When this value is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. Value type is chr. Supported operation is Get. **VPNv2/**ProfileName**/RouteList/** -Optional node. List of routes to be added to the routing table for the VPN interface. This is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface. +Optional node. List of routes to be added to the routing table for the VPN interface. This information is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface. Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length. -Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and do not need this information in the VPN Profile. Please check with your VPN server administrator to determine whether you need this information in the VPN profile. +Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this route during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile. **VPNv2/**ProfileName**/RouteList/**routeRowId -A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. +A sequential integer identifier for the RouteList. This value is required if you're adding routes. Sequencing must start at 0. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/RouteList/**routeRowId**/Address** -Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. +Subnet address in IPv4/v6 address format which, along with the prefix, will be used to determine the destination prefix to send via the VPN Interface. This subnet address is the IP address part of the destination prefix. Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0` **VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize** -The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. +The subnet prefix size part of the destination prefix for the route entry. This subnet prefix, along with the address, will be used to determine the destination prefix to route through the VPN Interface. Value type is int. Supported operations include Get, Add, Replace, and Delete. @@ -388,7 +388,7 @@ Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList** Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. -The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before name resolution queries are issued, the DNS client consults the NRPT to determine if any extra flags must be set in the query. After the response is received, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. > [!NOTE] > Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. @@ -407,9 +407,9 @@ Used to indicate the namespace to which the policy applies. When a Name query is Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType** -Returns the namespace type. This value can be one of the following: +Returns the namespace type. This value can be one of the following values: -- FQDN - If the DomainName was not prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host. +- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host. - Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains. Value type is chr. Supported operation is Get. @@ -420,7 +420,7 @@ List of comma-separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** -Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. +Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet. > [!NOTE] > Currently only one web proxy server is supported. @@ -430,7 +430,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger** Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN. -If set to False, this DomainName rule will not trigger the VPN. +If set to False, this DomainName rule won't trigger the VPN. If set to True, this DomainName rule will trigger the VPN @@ -439,7 +439,7 @@ By default, this value is false. Value type is bool. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent** -Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values: +Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values: - False (default) - This DomainName rule will only be applied when VPN is connected. - True - This DomainName rule will always be present and applied. @@ -452,18 +452,18 @@ An optional node that specifies a list of rules. Only traffic that matches these > [!NOTE] > Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules. -When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other. +When multiple rules are being added, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App** -Per app VPN rule. This will allow only the apps specified to be allowed over the VPN interface. Value type is chr. +Per app VPN rule. This property will allow only the apps specified to be allowed over the VPN interface. Value type is chr. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id** App identity for the app-based traffic filter. -The value for this node can be one of the following: +The value for this node can be one of the following values: - PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. - FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. @@ -511,17 +511,17 @@ A list of comma-separated values specifying remote IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType** -Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following: +Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following values: - SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. - ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only. -This is only applicable for App ID-based Traffic Filter rules. +This property is only applicable for App ID-based Traffic Filter rules. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction** -Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following: +Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following values: - Outbound - The rule applies to all outbound traffic - Inbound - The rule applies to all inbound traffic @@ -531,27 +531,27 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/EdpModeId** -Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. +Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. -Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect. +Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/RememberCredentials** -Boolean value (true or false) for caching credentials. Default is false, which means do not cache credentials. If set to true, credentials are cached whenever possible. +Boolean value (true or false) for caching credentials. Default is false, which means don't cache credentials. If set to true, credentials are cached whenever possible. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/AlwaysOn** -An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. +An optional flag to enable Always On mode. This flag will automatically connect the VPN at sign in and will stay connected until the user manually disconnects. > [!NOTE] > Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. Preserving user Always On preference -Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. -Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference. Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config` Value: AutoTriggerDisabledProfilesList Type: REG_MULTI_SZ @@ -569,13 +569,13 @@ Device tunnel profile. Valid values: -- False (default) - this is not a device tunnel profile. -- True - this is a device tunnel profile. +- False (default) - this profile isn't a device tunnel profile. +- True - this profile is a device tunnel profile. When the DeviceTunnel profile is turned on, it does the following things: - First, it automatically becomes an "always on" profile. -- Second, it does not require the presence or logging in of any user to the machine in order for it to connect. +- Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect. - Third, no other device tunnel profile maybe is present on the same machine.- A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. @@ -587,7 +587,7 @@ Allows registration of the connection's address in DNS. Valid values: -- False = Do not register the connection's address in DNS (default). +- False = Don't register the connection's address in DNS (default). - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** @@ -599,7 +599,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. Reserved for future use. **VPNv2/**ProfileName**/TrustedNetworkDetection** -Optional. Comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. +Optional. Comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -657,7 +657,7 @@ Added in Windows 10, version 1607. Enables the Device Compliance flow from the Value type is bool. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DeviceCompliance/Sso** -Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. +Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication if there's Device Compliance. **VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled** Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication. @@ -683,7 +683,7 @@ Required for plug-in profiles. Semicolon-separated list of servers in URL, hostn Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/PluginProfile/CustomConfiguration** -Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. +Optional. This property is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations and defaults. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -708,7 +708,7 @@ You can make a list of server by making a list of server names (with optional fr Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType** -Optional for native profiles. Type of routing policy. This value can be one of the following: +Optional for native profiles. Type of routing policy. This value can be one of the following values: - SplitTunnel - Traffic can go over any interface as determined by the networking stack. - ForceTunnel - All IP traffic must go over the VPN interface. @@ -716,7 +716,7 @@ Optional for native profiles. Type of routing policy. This value can be one of t Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/NativeProfile/NativeProtocolType** -Required for native profiles. Type of tunneling protocol used. This value can be one of the following: +Required for native profiles. Type of tunneling protocol used. This value can be one of the following values: - PPTP - L2TP @@ -726,7 +726,7 @@ Required for native profiles. Type of tunneling protocol used. This value can be Value type is chr. Supported operations include Get, Add, Replace, and Delete. > [!NOTE] -> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable. +> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable. **VPNv2/**ProfileName**/NativeProfile/Authentication** Required node for native profile. It contains authentication information for the native VPN profile. @@ -735,14 +735,14 @@ Required node for native profile. It contains authentication information for the This value can be one of the following: - EAP -- MSChapv2 (This is not supported for IKEv2) +- MSChapv2 (This method isn't supported for IKEv2) Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod** This is only supported in IKEv2. -This value can be one of the following: +This value can be one of the following values: - Certificate diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 026dcfb003..fca8b3674b 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -54,12 +54,12 @@ If no value is specified, the registry location will default to `
`. If `Name` is greater than 40 characters, it will be truncated to 40 characters. **TO-PROXY** -Required. Specifies one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. +Required. Specifies one logical proxy with a matching PROXY-ID. It's only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. **TO-NAPID** -Required. Specifies the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](napdef-csp.md). +Required. Specifies the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It's only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](napdef-csp.md). **ADDR** Required. Specifies the address of the MMS application server, as a string. The possible values to configure the ADDR parameter are: @@ -71,7 +71,7 @@ Required. Specifies the address of the MMS application server, as a string. The - A fully qualified Internet domain name **MS** -Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. +Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value isn't a number, or is less than or equal to 10, it will be ignored and outgoing MMS won't be resized. ## Related topics diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index c69b5612ca..139c2e3cfd 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -15,7 +15,7 @@ ms.date: 06/26/2017 # w7 APPLICATION CSP -The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it is managed over OMA Client Provisioning. +The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning. > **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. @@ -77,7 +77,7 @@ Required. The PORTNBR parameter is used in the PORT characteristic to get or set This characteristic is used in the w7 APPLICATION characteristic to specify authentication information. **APPAUTH/AAUTHDATA** -Optional. The AAUTHDATA parameter is used in the APPAUTH characteristic to get or set additional data used in authentication. This parameter is used to convey the nonce for digest authentication type. This parameter takes a string value. The value of this parameter is a base64-encoded in the form of a series of bytes. Note that if the AAUTHTYPE is DIGEST, this is used as a nonce value in the MD5 hash calculation, and the octal form of the binary data should be used when calculating the hash at the server side and device side. +Optional. The AAUTHDATA parameter is used in the APPAUTH characteristic to get or set more data used in authentication. This parameter is used to convey the nonce for digest authentication type. This parameter takes a string value. The value of this parameter is a base64-encoded in the form of a series of bytes. If the AAUTHTYPE is DIGEST, this value is used as a nonce value in the MD5 hash calculation, and the octal form of the binary data should be used when calculating the hash at the server side and device side. **APPAUTH/AAUTHLEVEL** Required. The AAUTHLEVEL parameter is used in the APPAUTH characteristic to indicate whether credentials are for server authentication or client authentication. This parameter takes a string value. You can set this value. @@ -111,7 +111,7 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe **BACKCOMPATRETRYDISABLED** Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time). -> **Note** This parameter does not contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. +> **Note** This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. @@ -130,8 +130,8 @@ The valid values are: **INIT** Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present. -> **Note** This node is only for mobile operators and MDM servers that try to use this will fail. This node is not supported in the enterprise MDM enrollment scenario. -This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio is not yet ready. +> **Note** This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario. +This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready. @@ -147,7 +147,7 @@ Optional. The NAME parameter is used in the APPLICATION characteristic to specif The NAME parameter can be a string or null (no value). If no value is specified, the registry location will default to <unnamed>. **PROTOVER** -Optional. The PROTOVER parameter is used in the APPLICATION characteristic to specify the OMA DM Protocol version the server supports. No default value is assumed. The protocol version set by this node will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this node is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. In Windows Phone this is 1.2. This is a Microsoft custom parameter. You can set this parameter. +Optional. The PROTOVER parameter is used in the APPLICATION characteristic to specify the OMA DM Protocol version the server supports. No default value is assumed. The protocol version set by this node will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this node isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. In Windows Phone, this version is 1.2. This parameter is a Microsoft custom parameter. You can set this parameter. Possible values: @@ -159,32 +159,32 @@ Possible values: Optional. The PROVIDER-ID parameter is used in the APPLICATION characteristic to differentiate OMA DM servers. It specifies the server identifier for a management server used in the current management session. This parameter takes a string value. You can set this parameter. **ROLE** -Optional. The ROLE parameter is used in the APPLICATION characteristic to specify the security application chamber that the DM session should run with when communicating with the DM server. The only supported roles are 8 (mobile operator) and 32 (enterprise). If this parameter is not present, the mobile operator role is assumed. The enterprise role can only be set by the enterprise enrollment client. The enterprise client cannot set the mobile operator role. This is a Microsoft custom parameter. This parameter takes a numeric value in string format. You can get or set this parameter. +Optional. The ROLE parameter is used in the APPLICATION characteristic to specify the security application chamber that the DM session should run with when communicating with the DM server. The only supported roles are 8 (mobile operator) and 32 (enterprise). If this parameter isn't present, the mobile operator role is assumed. The enterprise role can only be set by the enterprise enrollment client. The enterprise client can't set the mobile operator role. This parameter is a Microsoft custom parameter. This parameter takes a numeric value in string format. You can get or set this parameter. **TO-NAPID** Optional. The TO-NAPID parameter is used in the APPLICATION characteristic to specify the Network Access Point the client will use to connect to the OMA DM server. If multiple TO-NAPID parameters are specified, only the first TO-NAPID value will be stored. This parameter takes a string value. You can set this parameter. **USEHWDEVID** -Optional. The USEHWDEVID parameter is used in the APPLICATION characteristic to specify use of device hardware identification. It does not have a value. +Optional. The USEHWDEVID parameter is used in the APPLICATION characteristic to specify use of device hardware identification. It doesn't have a value. -- If the parameter is not present, the default behavior is to use an application-specific GUID used rather than the hardware device ID. +- If the parameter isn't present, the default behavior is to use an application-specific GUID used rather than the hardware device ID. - If the parameter is present, the hardware device ID will be provided at the **./DevInfo/DevID** node and in the Source LocURI for the DM package sent to the server. International Mobile Subscriber Identity (IMEI) is returned for a GSM device. **SSLCLIENTCERTSEARCHCRITERIA** -Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used in the APPLICATION characteristic to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored. +Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used in the APPLICATION characteristic to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored. The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. -The supported names are Subject and Stores; wildcard certificate search is not supported. +The supported names are Subject and Stores; wildcard certificate search isn't supported. -Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive. +Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. > **Note** %EF%80%80 is the UTF8-encoded character U+F000. -Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: +Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax: ```xml [!WARNING] > Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range. +The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it's in range. Programming considerations: -- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. -- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. -- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. +- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. +- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. +- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping aren't supported. - The \ *name\_goes\_here*\ \must match \ \ . -- For the WiFi CSP, you cannot use the Replace command unless the node already exists. +- For the WiFi CSP, you can't use the Replace command unless the node already exists. - Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. -The following shows the WiFi configuration service provider in tree format. +The following example shows the WiFi configuration service provider in tree format. ```console ./Device/Vendor/MSFT @@ -48,14 +48,14 @@ The following list shows the characteristics and parameters. For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path. **Profile** -Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. +Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase if there's WEP or WPA2 networks. Supported operation is Get. **\*name\_goes\_here*\ \** Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. -SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, \ ./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml\ . +SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, \./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml\ . The supported operations are Add, Get, Delete, and Replace. @@ -88,7 +88,7 @@ The format is *host:port*, where host can be one of the following: - IPV4 address - IPv6/IPvFuture address. -If it is an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080". +If it's an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080". Supported operations are Get, Add, Delete, and Replace. --> diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index 428ed3f3cf..a537048478 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -17,7 +17,7 @@ ms.date: 06/26/2017 The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device. -The following shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. +The following example shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. ``` ./Vendor/MSFT/Win32AppInventory @@ -69,9 +69,9 @@ The supported operation is Get. **Win32InstalledProgram/_InstalledProgram_/RegKey** A string that specifies product code or registry subkey. -For MSI-based applications this is the product code. +For MSI-based applications, this string is the product code. -For applications found in Add/Remove Programs, this is the registry subkey. +For applications found in Add/Remove Programs, this string is the registry subkey. The supported operation is Get. diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index 579d50e4c2..ccd2424347 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -36,12 +36,12 @@ To facilitate security-enhanced communication with the remote server for enterpr The DM client configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DM client communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device. -Here is a summary of the DM tasks supported for enterprise management: +Here's a summary of the DM tasks supported for enterprise management: - Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. -- Enterprise application management: This is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It is used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. +- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. - Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. -- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. +- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c8bd5266d0..2d7afd2ff5 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -17,7 +17,7 @@ ms.date: 11/01/2017 The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. -The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). +The following example shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). ```console ./Device/Vendor/MSFT @@ -114,7 +114,7 @@ The following list describes the characteristics and parameters. **DeviceTagging**Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. -
Supported operations is Get. +
Supported operation is Get. **DeviceTagging/Group**
Added in Windows 10, version 1709. Device group identifiers. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index e489b9b6cd..febc8bed02 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -15,7 +15,7 @@ manager: dansimp The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709. -The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format. +The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format. ``` ./Device/Vendor/MSFT WindowsDefenderApplicationGuard @@ -139,7 +139,7 @@ This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or W The following list shows the supported values: - 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. -- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. +- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. > [!NOTE] > This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. @@ -160,7 +160,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. The following list shows the supported values: -- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. +- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out. - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. @@ -181,8 +181,8 @@ This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or W If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. The following list shows the supported values: -- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0). -- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. +- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0). +- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container. > [!WARNING] > Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device. @@ -196,14 +196,14 @@ ADMX Info: **Settings/SaveFilesToHost** -Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container. +Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container. Value type is integer. Supported operations are Add, Get, Replace, and Delete. This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. The following list shows the supported values: -- 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0). +- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. @@ -226,7 +226,7 @@ If you enable this setting, certificates with a thumbprint matching the ones spe Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924 -If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container. +If you disable or don’t configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container. ADMX Info: @@ -251,7 +251,7 @@ If you enable this policy setting, applications inside Microsoft Defender Applic If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device. The following list shows the supported values: -- 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0). +- 0 (default) - Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0). - 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. > [!IMPORTANT] diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 20530b3267..0789764ab1 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -19,7 +19,7 @@ ms.date: 08/15/2018 The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices. -The following shows the WindowsLicensing configuration service provider in tree format. +The following example shows the WindowsLicensing configuration service provider in tree format. ```console ./Vendor/MSFT @@ -41,7 +41,7 @@ WindowsLicensing --------Status (Added in Windows 10, version 1809) ``` **./Device/Vendor/MSFT/WindowsLicensing** -This is the root node for the WindowsLicensing configuration service provider. +This node is the root node for the WindowsLicensing configuration service provider. The supported operation is Get. @@ -70,7 +70,7 @@ If a product key is entered in a provisioning package and the user begins instal After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. -This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key does not require a reboot and is a silent process for the user. +This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key doesn't require a reboot and is a silent process for the user. > [!IMPORTANT] > The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. @@ -117,7 +117,7 @@ The supported operation is Get. Provides a license for an edition upgrade of Windows 10 devices. > [!NOTE] -> This upgrade process does not require a system restart. +> This upgrade process doesn't require a system restart. The date type is XML. @@ -152,7 +152,7 @@ The data type is a chr. The supported operation is Exec. **ChangeProductKey** -Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot. +Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Doesn't reboot. The data type is a chr. @@ -191,7 +191,7 @@ Supported values: - 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. **SMode/SwitchFromSMode** -Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) +Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) Supported operation is Execute. diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index fc6a7c7176..62808bc9bb 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,6 +1,6 @@ --- title: WiredNetwork CSP -description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP. Learn how it works. +description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -16,9 +16,9 @@ manager: dansimp > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809. +The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809. -The following shows the WiredNetwork configuration service provider in tree format. +The following example shows the WiredNetwork configuration service provider in tree format. ``` ./User/Vendor/MSFT WiredNetwork diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 3fa7f1b6c8..777b9fa6ec 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -18,7 +18,7 @@ This article describes how to configure the actions that Windows takes when a sy - Write an event to the System log. -- Alert administrators (if you have set up administrative alerts). +- Alert administrators (if you've set up administrative alerts). - Put system memory into a file that advanced users can use for debugging. @@ -92,9 +92,9 @@ Select one of the following type of information that you want Windows to record #### (none) -The option does not record any information in a memory dump file. +The option doesn't record any information in a memory dump file. -To specify that you do not want Windows to record information in a memory dump file, run the following command or modify the registry value: +To specify that you don't want Windows to record information in a memory dump file, run the following command or modify the registry value: - ```cmd wmic recoveros set DebugInfoType = 0 @@ -123,7 +123,7 @@ To specify that you want to use a folder as your Small Dump Directory, run the f #### Kernel Memory Dump -The option records only kernel memory. This option stores more information than a small memory dump file, but it takes less time to complete than a complete memory dump file. The file is stored in %SystemRoot%\Memory.dmp by default, and any previous kernel or complete memory dump files are overwritten if the **Overwrite any existing file** check box is selected. If you set this option, you must have a sufficiently large paging file on the boot volume. The required size depends on the amount of RAM in your computer However, the maximum amount of space that must be available for a kernel memory dump on a 32-bit system is 2 GB plus 16 MB. On a 64-bit system, the maximum amount of space that must be available for a kernel memory dump is the size of the RAM plus 128 MB. The following table provides guidelines for the size of the paging file: +The option records only kernel memory. This option stores more information than a small memory dump file, but it takes less time to complete than a complete memory dump file. The file is stored in %SystemRoot%\Memory.dmp by default, and any previous kernel or complete memory dump files are overwritten if the **Overwrite any existing file** check box is selected. If you set this option, you must have a sufficiently large paging file on the boot volume. The required size depends on the amount of RAM in your computer. However, the maximum amount of space that must be available for a kernel memory dump on a 32-bit system is 2 GB plus 16 MB. On a 64-bit system, the maximum amount of space that must be available for a kernel memory dump is the size of the RAM plus 128 MB. The following table provides guidelines for the size of the paging file: |RAM size |Paging file should be no smaller than| |-------|-----------------| @@ -146,7 +146,7 @@ To specify that you want to use a file as your memory dump file, run the followi - Set the **DumpFile** Expandable String Value to \
` (WinRE drive) the letter R and the ` ` is the letter D, the following is the command that we would use: + For example, if we assign the ` ` (WinRE drive) the letter R and the ` ` is the letter D, we would use the following command: ```console Bcdboot D:\windows /s R: /f ALL @@ -159,7 +159,7 @@ If the files are missing, and you want to rebuild the boot files, follow these s >[!NOTE] >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. -If you don't have a Windows 10 ISO, format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: +If you don't have a Windows 10 ISO, format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do the formatting and copying, follow these steps: 1. Start **Notepad**. @@ -197,7 +197,7 @@ After you run this command, you'll see the **Install pending** and **Uninstall P 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. -7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. +7. Unload the hive. To do this unloading, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. > [!div class="mx-imgBorder"] >  @@ -229,7 +229,7 @@ After you run this command, you'll see the **Install pending** and **Uninstall P If these keys exist, check each one to make sure that it has a value that's named **Start**, and that it's set to **0**. If it's not, set the value to **0**. - If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: + If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this step, run the following commands: ```console cd OSdrive:\Windows\System32\config @@ -270,7 +270,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the ### Running SFC and Chkdsk - If the computer still doesn't start, you can try to run a **chkdisk** process on the system drive, and then also run System File Checker. To do this, run the following commands at a WinRE command prompt: + If the computer still doesn't start, you can try to run a **chkdisk** process on the system drive, and then also run System File Checker. Do these steps by running the following commands at a WinRE command prompt: * `chkdsk /f /r OsDrive:` diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index e9f150cb37..a0f5f57b42 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -27,9 +27,9 @@ A Stop error is displayed as a blue screen that contains the name of the faulty - `igdkmd64.sys` - `nvlddmkm.sys` -There is no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed by third-party software. This includes video cards, wireless network cards, security programs, and so on. +There's no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually aren't caused by Microsoft Windows components. Instead, these errors are related to malfunctioning hardware drivers or drivers that are installed by third-party software. These drivers include video cards, wireless network cards, security programs, and so on. -Our analysis of the root causes of crashes indicates the following: +Our analysis of the root causes of crashes indicates that: - 70 percent are caused by third-party driver code - 10 percent are caused by hardware issues @@ -45,7 +45,7 @@ To troubleshoot Stop error messages, follow these general steps: 1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem. -2. As a best practice, we recommend that you do the following: +2. As a best practice, we recommend that you do the following steps: 1. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: @@ -72,12 +72,12 @@ To troubleshoot Stop error messages, follow these general steps: 4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. -5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. +5. Make sure that there's sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. 6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: - The error message indicates that a specific driver is causing the problem. - - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. + - You're seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. - You have made any software or hardware changes. >[!NOTE] @@ -105,7 +105,7 @@ To configure the system for memory dump files, follow these steps: 6. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. -7. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs. +7. If the server is virtualized, disable auto reboot after the memory dump file is created. This disablement lets you take a snapshot of the server in-state and also if the problem recurs. The memory dump file is saved at the following locations: @@ -118,7 +118,7 @@ The memory dump file is saved at the following locations: | Automatic memory dump file | %SystemRoot%\MEMORY.DMP | | Active memory dump file | %SystemRoot%\MEMORY.DMP | -You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video:
+You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. For more information, see the following video:
>[!video https://www.youtube.com/embed/xN7tOfgNKag] @@ -144,7 +144,7 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols ## Advanced troubleshooting steps >[!NOTE] ->Advanced troubleshooting of crash dumps can be very challenging if you are not experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below. +>Advanced troubleshooting of crash dumps can be very challenging if you aren't experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below. ### Advanced debugging references @@ -153,25 +153,25 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols ### Debugging steps -1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. See the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump) for more information. +1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. For more information, see the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump). 2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer. 3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk). -4. Start the install and choose **Debugging Tools for Windows**. This installs the WinDbg tool. +4. Start the install and choose **Debugging Tools for Windows**. The WinDbg tool is installed. 5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**. - 1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method. + 1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This method is the recommended one. - 1. If the computer is not connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path). + 1. If the computer isn't connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path). 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. :::image type="content" alt-text="WinDbg img." source="images/windbg.png" lightbox="images/windbg.png"::: -7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. +7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. The command !analyze -v is entered in the prompt at the bottom of the page. 8. A detailed bugcheck analysis will appear. See the example below. @@ -219,7 +219,7 @@ There are many possible causes of a bugcheck and each case is unique. In the exa The problem here is with **mpssvc** which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies. -Additional examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article. +More examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article. ## Video resources @@ -247,7 +247,7 @@ Use the following guidelines when you use Driver Verifier: - Enable concurrent verification on groups of 10–20 drivers. -- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode. +- Additionally, if the computer can't boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This solution is because the tool can't run in Safe mode. For more information, see [Driver Verifier](/windows-hardware/drivers/devtest/driver-verifier). @@ -263,16 +263,16 @@ VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
Stop error code 0 DRIVER_IRQL_NOT_LESS_OR_EQUAL
Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys. PAGE_FAULT_IN_NONPAGED_AREA
Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup. SYSTEM_SERVICE_EXCEPTION
Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files). -NTFS_FILE_SYSTEM
Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. -KMODE_EXCEPTION_NOT_HANDLED
Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.
If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:
Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. -DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump. -USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
Event ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). +NTFS_FILE_SYSTEM
Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this step, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button. We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. +KMODE_EXCEPTION_NOT_HANDLED
Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.
If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To disable the driver, follow these steps:
Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. +DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that doesn't complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for other error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump. +USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
Event ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User mode health monitoring has detected that the system isn't being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). ## Debugging examples ### Example 1 -This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. +This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this driver is Microsoft driver it can't be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. ```console 2: kd> !analyze -v @@ -343,7 +343,7 @@ ANALYSIS_SESSION_HOST: SHENDRIX-DEV0 ANALYSIS_SESSION_TIME: 01-17-2019 11:06:05.0653 ANALYSIS_VERSION: 10.0.18248.1001 amd64fre TRAP_FRAME: ffffa884c0c3f6b0 -- (.trap 0xffffa884c0c3f6b0) -NOTE: The trap frame does not contain all registers. +NOTE: The trap frame doesn't contain all registers. Some register values may be zeroed or incorrect. rax=fffff807ad018bf0 rbx=0000000000000000 rcx=000000000011090a rdx=fffff807ad018c10 rsi=0000000000000000 rdi=0000000000000000 @@ -442,7 +442,7 @@ In this example, a non-Microsoft driver caused page fault, so we don’t have sy ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) -Invalid system memory was referenced. This cannot be protected by try-except. +Invalid system memory was referenced. This can't be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: 8ba10000, memory referenced. diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index fd6540824c..56573160e6 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -25,7 +25,7 @@ You might come across connectivity errors on the application end or timeout erro When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture that could indicate a network issue. -* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released. +* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the four-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this period is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released. * TCP reset is an abrupt closure of the session; it causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. @@ -33,13 +33,13 @@ When you suspect that the issue is on the network, you collect a network trace. A network trace on the source and the destination helps you to determine the flow of the traffic and see at what point the failure is observed. -The following sections describe some of the scenarios when you will see a RESET. +The following sections describe some of the scenarios when you'll see a RESET. ## Packet drops -When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up retransmitting the data and when there is no response received, it would end the session by sending an ACK RESET (this means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed). +When one TCP peer is sending out TCP packets for which there's no response received from the other end, the TCP peer would end up retransmitting the data and when there's no response received, it would end the session by sending an ACK RESET (thisACK RESET means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed). -The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. +The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This scenario denotes that the network device between the source and destination is dropping the packets. If the initial TCP handshake is failing because of packet drops, then you would see that the TCP SYN packet is retransmitted only three times. @@ -47,7 +47,7 @@ Source side connecting on port 445:  -Destination side: applying the same filter, you do not see any packets. +Destination side: applying the same filter, you don't see any packets.  @@ -59,22 +59,22 @@ For the rest of the data, TCP will retransmit the packets five times. **Destination 192.168.1.2 side trace:** -You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network. +You wouldn't see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network. -If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop. +If you're seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you're trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there's no response, then there could be a wfp drop. ## Incorrect parameter in the TCP header -You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. +You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you'll be able to notice if there's a change in the packets itself or if any new packets are reaching the destination on behalf of the source. In this case, you'll again need help from the network team to identify any device that's modifying packets or replaying packets to the destination. The most common ones are RiverBed devices or WAN accelerators. ## Application side reset -When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset. +When you've identified that the resets aren't due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you've narrowed it down to application level reset. -The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. +The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This setting would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This stage is when the application that received the packet didn't like something it received. In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source. @@ -86,14 +86,14 @@ In the below screenshots, you see that the packets seen on the source and the de  -You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. +You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason doesn't want to accept the packet, it would send an ACK+RST packet.  The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. >[!Note] ->The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet +>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You wouldn't see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you've the UDP packet sent out on a port and the destination does not have port listed, you'll see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet ``` @@ -103,7 +103,7 @@ The application that's causing the reset (identified by port numbers) should be ``` -During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine. +During the troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but doesn't respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine. ``` auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable @@ -113,6 +113,6 @@ You can then review the Security event logs to see for a packet drop on a partic  -Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection. +Now, run the command `netsh wfp show state`, this execution will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.  diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index 7bbb4f70f3..aed2257b4d 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -15,10 +15,10 @@ ms.collection: highpri # Collect data using Network Monitor -In this article, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. +In this article, you'll learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. > [!NOTE] -> Network Monitor is the archived protocol analyzer and is no longer under development. Also, Microsoft Message Analyzer (MMA) was retired and its download packages were removed from microsoft.com sites on November 25, 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, consider using another, non-Microsoft network protocol analyzer tool. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide). +> Network Monitor is the archived protocol analyzer and is no longer under development. Also, Microsoft Message Analyzer (MMA) was retired and its download packages were removed from microsoft.com sites on November 25, 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, consider using another, non-Microsoft network protocol analyzer tool. For more information, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide). To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: @@ -36,13 +36,13 @@ When the driver gets hooked to the network interface card (NIC) during installat  -3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. +3. Reproduce the issue, and you'll see that Network Monitor grabs the packets on the wire.  4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. -The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. +The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you're facing. So you'll need to filter the network capture to see only the related traffic. **Commonly used filters** @@ -58,7 +58,7 @@ The saved file has captured all the traffic that is flowing to and from the sele >[!TIP] >If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**. -Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. +Network traces that are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. ## More information diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 638044c3aa..938136edad 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -19,16 +19,16 @@ TCP and UDP protocols work based on port numbers used for establishing connectio There are two types of ports: -- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. +- *Ephemeral ports*, which are dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. - *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers. -When connecting to an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443. +When a connection is being established with an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443. -In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. +In a scenario where the same browser is creating many connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you'll notice that the connections will start to fail and one high possibility for this failure would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. ## Default dynamic port range for TCP/IP -To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. +To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This increase is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. You can view the dynamic port range on a computer by using the following netsh commands: @@ -51,13 +51,13 @@ The start port is number, and the total number of ports is range. The following - `netsh int ipv6 set dynamicport tcp start=10000 num=1000` - `netsh int ipv6 set dynamicport udp start=10000 num=1000` -These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000. +These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) can't exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This usage pattern results in a start port of 1025 and an end port of 5000. -Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections. +Specifically, about outbound connections as incoming connections won't require an Ephemeral port for accepting connections. -Since outbound connections start to fail, you will see a lot of the below behaviors: +Since outbound connections start to fail, you'll see many instances of the below behaviors: -- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. +- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign in will require you to contact the DC for authentication, which is again an outbound connection. If you've cache credentials set, then domain sign-in might still work. :::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png"::: @@ -79,9 +79,9 @@ Reboot of the server will resolve the issue temporarily, but you would see all t If you suspect that the machine is in a state of port exhaustion: -1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step. +1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these options, go to the next step. -2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: +2. Open event viewer and under the system logs, look for the events that clearly indicate the current state: 1. **Event ID 4227** @@ -95,12 +95,12 @@ If you suspect that the machine is in a state of port exhaustion:  - After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process won't be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. - You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state doesn't necessarily indicate port exhaustion. > [!Note] - > Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. + > Having huge connections in TIME_WAIT state doesn't always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. > > Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. > @@ -112,7 +112,7 @@ If you suspect that the machine is in a state of port exhaustion: Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl ``` -5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. +5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries that say **STATUS_TOO_MANY_ADDRESSES**. If you don't find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. ## Troubleshoot Port exhaustion @@ -120,30 +120,30 @@ The key is to identify which process or application is using all the ports. Belo ### Method 1 -Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process: +Start by looking at the netstat output. If you're using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID that has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process: ```powershell Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending ``` -Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. +Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level, ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts, which allows you to identify which process is consuming all of the ports. For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet. ### Method 2 -If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: +If method 1 doesn't help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: 1. Add a column called “handles” under details/processes. 2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.  -3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. +3. If any other process than these processes has a higher number, stop that process and then try to sign in using domain credentials and see if it succeeds. ### Method 3 -If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue. +If Task Manager didn't help you identify the process, then use Process Explorer to investigate the issue. Steps to use Process explorer: @@ -160,9 +160,9 @@ Steps to use Process explorer: :::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png"::: -10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. +10. Some are normal, but large numbers of them aren't (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you've further proven that the app is the cause. Contact the vendor of that app. -Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. +Finally, if the above methods didn't help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. As a workaround, rebooting the computer will get it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: @@ -170,10 +170,10 @@ As a workaround, rebooting the computer will get it back in normal state and wou netsh int ipv4 set dynamicport tcp start=10000 num=1000 ``` -This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. +This command will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) can't exceed 65535. >[!NOTE] ->Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports. +>Note that increasing the dynamic port range is not a permanent solution but only temporary. You'll need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why it's consuming such high number of ports. For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. @@ -196,5 +196,5 @@ goto loop ## Useful links - [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status -- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11) +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script that will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11) diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md index 6601c0c57d..b5ef8d16f6 100644 --- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -19,7 +19,7 @@ You might encounter an **RPC server unavailable** error when connecting to Windo  -This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. +This message is a commonly encountered error message in the networking world and one can lose hope fast without trying to understand much, as to what is happening ‘under the hood’. Before getting in to troubleshooting the *RPC server unavailable- error, let’s first understand basics about the error. There are a few important terms to understand: @@ -29,7 +29,7 @@ Before getting in to troubleshooting the *RPC server unavailable- error - UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many. - Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you. - Port – the communication endpoints for the client and server applications. -- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part. +- Stub data – the information given to functions and data exchanged between the client and server. This data is the payload, the important part. >[!Note] > A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM. @@ -47,10 +47,10 @@ Remote Procedure Call (RPC) dynamic port allocation is used by server applicatio Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner. -As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements). +As a server port, choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements). The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers. -Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass. +Some firewalls also allow for UUID filtering where it learns from an RPC Endpoint Mapper request for an RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass. With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: @@ -58,11 +58,11 @@ With Registry Editor, you can modify the following parameters for RPC. The RPC P **Ports REG_MULTI_SZ** -- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid. +- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string can't be interpreted, the RPC runtime treats the entire configuration as invalid. **PortsInternetAvailable REG_SZ Y or N (not case-sensitive)** -- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available. +- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that aren't Internet-available. **UseInternetPorts REG_SZ ) Y or N (not case-sensitive)** @@ -72,7 +72,7 @@ With Registry Editor, you can modify the following parameters for RPC. The RPC P **Example:** -In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system. +In this example, ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This example isn't a recommendation of a minimum number of ports needed for any particular system. 1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc @@ -108,13 +108,13 @@ If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](ht ### PortQuery -The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command: +The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you're able to make a connection by running the command: ```console Portqry.exe -n-e 135 ``` -This would give you a lot of output to look for, but you should be looking for *ip_tcp- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: +This command would give you much of the output to look for, but you should be looking for *ip_tcp- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: ```console Portqry.exe -n 169.254.0.2 -e 135 @@ -138,7 +138,7 @@ The one in bold is the ephemeral port number that you made a connection to succe ### Netsh -You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation. +You can run the commands below to use Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation. - On the client @@ -164,30 +164,30 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) - Look for the “EPM” Protocol Under the “Protocol” column. -- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. +- Now check if you're getting a response from the server. If you get a response, note the dynamic port number that you've been allocated to use. :::image type="content" alt-text="Screenshot of Network Monitor with dynamic port highlighted." source="images/tcp-ts-23.png" lightbox="images/tcp-ts-23.png"::: -- Check if we are connecting successfully to this Dynamic port successfully. +- Check if we're connecting successfully to this Dynamic port successfully. - The filter should be something like this: `tcp.port== ` and `ipv4.address== ` :::image type="content" alt-text="Screenshot of Network Monitor with filter applied." source="images/tcp-ts-24.png" lightbox="images/tcp-ts-24.png"::: -This should help you verify the connectivity and isolate if any network issues are seen. +This filter should help you verify the connectivity and isolate if any network issues are seen. ### Port not reachable -The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. +The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect isn't reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. :::image type="content" alt-text="Screenshot of Network Monitor with TCP SYN retransmits." source="images/tcp-ts-25.png" lightbox="images/tcp-ts-25.png"::: -The port cannot be reachable due to one of the following reasons: +The port can't be reachable due to one of the following reasons: - The dynamic port range is blocked on the firewall in the environment. - A middle device is dropping the packets. -- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc). +- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc.). diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 9d73bacae3..c5605425da 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -25,7 +25,7 @@ This article describes how to troubleshoot freeze issues on Windows-based comput * Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) * What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) * How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) -* On how many computers does this occur? (Example: All computers, only one computer, 10 computers, and so on.) +* On how many computers does this freeze occur? (Example: All computers, only one computer, 10 computers, and so on.) ## Troubleshoot the freeze issues @@ -36,7 +36,7 @@ To troubleshoot the freeze issues, check the current status of your computer, an If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: * Try to access the computer through Remote Desktop, Citrix, and so on. -* Use the domain account or local administrator account to log on the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). +* Use the domain account or local administrator account to sign in to the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). * Test ping to the computer. Packet dropping and high network latency may be observed. * Access administrative shares (\\\\**ServerName**\\c$). * Press Ctrl + Alt + Delete command and check response. @@ -50,7 +50,7 @@ If the physical computer or virtual machine froze but is now running in a good s * Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID: - - Application event log : Application Error (suggesting Crash or relevant System Process) + - Application event log: Application Error (suggesting Crash or relevant System Process) - System Event logs, Service Control Manager Error event IDs for Critical System Services - Error Event IDs 2019/2020 with source Srv/Server @@ -88,7 +88,7 @@ If the computer is no longer frozen and now is running in a good state, use the > If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. -1. Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: +1. Ensure that the computer is set up to get a complete memory dump file. To do this setup, follow these steps: 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. @@ -108,9 +108,9 @@ If the computer is no longer frozen and now is running in a good state, use the Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). - 6. Make sure that there's more available space on the system drive than there is physical RAM. + 6. Make sure that there's more available space on the system drive than there's physical RAM. -2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: +2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: 1. Go to Registry Editor, and then locate the following registry keys: @@ -144,7 +144,7 @@ If the computer is no longer frozen and now is running in a good state, use the ### Method 2: Data sanity check -Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. +Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. - [Using DumpChk](/windows-hardware/drivers/debugger/dumpchk) - [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) @@ -194,7 +194,7 @@ The Performance Monitor log is located in the path: C:\PERFLOGS If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: -1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps: +1. Ensure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this setup, follow these steps: > [!NOTE] > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. @@ -222,11 +222,11 @@ If the physical computer is still running in a frozen state, follow these steps > [!NOTE] > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). - 3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. + 3. Ensure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. - 4. Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. + 4. Ensure that there's more free space on the hard disk drives of the computer than there's physical RAM. -2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: +2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index ef2b5a09cc..2c423bfbc7 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -16,7 +16,7 @@ ms.topic: troubleshooting Microsoft regularly releases both updates for Windows Server. To ensure your servers can receive future updates, including security updates, it's important to keep your servers updated. Check out - [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history) for a complete list of released updates. -This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available. +This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. More topics will be added as they become available. ## Troubleshoot 802.1x Authentication - [Advanced Troubleshooting 802.1X Authentication](./advanced-troubleshooting-802-authentication.md) @@ -24,12 +24,12 @@ This section contains advanced troubleshooting topics and links to help you reso ## Troubleshoot BitLocker - [Guidelines for troubleshooting BitLocker](/windows/security/information-protection/bitlocker/troubleshoot-bitlocker) -- [BitLocker cannot encrypt a drive: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues) +- [BitLocker can't encrypt a drive: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues) - [Enforcing BitLocker policies by using Intune: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues) - [BitLocker Network Unlock: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues) - [BitLocker recovery: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues) - [BitLocker configuration: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues) -- [BitLocker cannot encrypt a drive: known TPM issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues) +- [BitLocker can't encrypt a drive: known TPM issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues) - [BitLocker and TPM: other known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues) - [Decode Measured Boot logs to track PCR changes](/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs) - [BitLocker frequently asked questions (FAQ)](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions) @@ -110,7 +110,7 @@ This section contains advanced troubleshooting topics and links to help you reso - [Windows Update log files](/windows/deployment/update/windows-update-logs) - [Windows Update troubleshooting](/windows/deployment/update/windows-update-troubleshooting) - [Windows Update common errors and mitigation](/windows/deployment/update/windows-update-errors) -- [Windows Update - Additional resources](/windows/deployment/update/windows-update-resources) +- [Windows Update - More resources](/windows/deployment/update/windows-update-resources) - [Get started with Windows Update](/windows/deployment/update/windows-update-overview) - [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index 6ff2980e1d..def6469305 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -35,7 +35,7 @@ This topic describes the correct way to add Microsoft Store for Business applica * A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). >[!NOTE] -> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**. +> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**. ## Adding a Store application to your image @@ -78,7 +78,7 @@ Now, on the machine where your image file is accessible: * [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) * [Export-StartLayout](/powershell/module/startlayout/export-startlayout) * [Import-StartLayout](/powershell/module/startlayout/import-startlayout) -* [Sideload LOB apps in Windows 10](/windows/application-management/siddeploy-windows-cmws-10) +* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) * [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) * [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) * [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 8078d99554..2622d23564 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -114,7 +114,7 @@ For questions regarding these instructions contact [msconnectedcache@microsoft.c As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] -> [Contact Microsoft](mailto:mccforenterprise@microsoft.com?subject=[MCC%20for%20Enterprise]%20Please%20add%20our%20Azure%20subscription%20to%20the%20allow%20list) and provide this information if you have not already. You'll not be able to proceed if you skip this step. +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allow list for this preview. You will not be able to proceed if you skip this step. For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). @@ -122,7 +122,7 @@ For information about creating or locating your subscription ID, see [Steps to o The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. -Send email to the MCC team ([mccforenterprise@microsoft.com](mailto:mccforenterprise@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal which will allow you to create the resource described below. +Once you take the survey above and the MCC team adds your subscription id to the allow list, you will be given a link to the Azure portal where you can create the resource described below. 1. On the Azure Portal home page, choose **Create a resource**:  diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 406565ed09..dd4a7afbbc 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -27,7 +27,7 @@ ms.topic: article Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. -MCC is a hybrid (a mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module; it is a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it is a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. Azure IoT Edge consists of three components that the MCC infrastructure will utilize: +Microsoft Connected Cache is a Hybrid (mix of on-prem and cloud resources) solution composed of a Docker compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge (more information on IoT Edge [in the appendix](#iot-edge-runtime)) as a secure and reliable control plane, and even though your scenario is not related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure. Azure IoT Edge consists of three components that the Microsoft Connected Cache infrastructure will utilize: 1. A cloud-based interface that enables secure, remote installation, monitoring, and management of MCC nodes. 2. A runtime that securely manages the modules deployed to each device. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 82c116b5b9..febbb80275 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -46,7 +46,7 @@ The features described below are no longer being actively developed, and might b | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | | Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | | Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 | -|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | +|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 | |Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 | |[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 | diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 2db0fd7296..117d670e45 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -147,6 +147,6 @@ sections: answer: | Use the following resources for additional information about Windows 10. - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). + - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home). diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 0344fbd385..3683bb0214 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -51,7 +51,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op |Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) | ## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits: - Get a head start on your Windows validation process. - Identify issues sooner to accelerate your Windows deployment. diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 5bf7d676b6..cb16c3b261 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -32,7 +32,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. | | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | -| [Assign devices to servicing branches for Windows client updates](/waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | +| [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | @@ -40,7 +40,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | | [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | -| [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) | Explains how the Windows Insider Program for Business works and how to become an insider. | +| [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] >For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows. diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index 2239c8a19b..e9ce2f2e27 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -31,7 +31,6 @@ Here's more news about [Windows as a service](windows-as-a-service.md):- Application compatibility in the Windows ecosystem - January 15, 2019
- Windows monthly security and quality updates overview - January 10, 2019
- Driver quality in the Windows ecosystem - December 19, 2018
-- Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates - December 18, 2018
- Measuring Delivery Optimization and its impact to your network - December 13, 2018
- LTSC: What is it, and when should it be used? - November 29, 2018
- Local Experience Packs: What are they and when should you use them? - November 14, 2018
@@ -45,7 +44,7 @@ Here's more news about [Windows as a service](windows-as-a-service.md):- Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates - September 21, 2018
- Helping customers shift to a modern desktop - September 6, 2018
- What's next for Windows 10 and Windows Server quality updates - August 16, 2018
-- Windows 10 monthly updates - August 1, 2018 (video)
+- Windows 10 monthly updates - August 1, 2018 (video)
- Windows 10 update servicing cadence - August 1, 2018
- Windows 10 quality updates explained and the end of delta updates - July 11, 2018
- AI Powers Windows 10 April 2018 Update Rollout - June 14, 2018
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 5aa1bb9690..c30ca87c8b 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -122,7 +122,7 @@ The Long-term Servicing Channel is available only in the Windows 10 Enterprise L For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. -Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started). +Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/business/register). diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 2e47228c90..7e049263a6 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -63,7 +63,7 @@ The **Branch Readiness Level** settings allow you to choose between preview flig * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and feature updates are received* * MDM: **Update/BranchReadinessLevel** -For more information, see [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) +For more information, see [Windows Insider Program for Business](/windows-insider/business/register). ## Block access to Windows Insider Program diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index a9a1751eac..a53cf59f90 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -107,9 +107,3 @@ Secure your organization's deployment investment. [Express update delivery](../do/waas-optimize-windows-10-updates.md#express-update-delivery) [Windows 10 deployment considerations](../planning/windows-10-deployment-considerations.md) - - -## Microsoft Ignite 2018 -
-
-Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 3f582da318..e23f09f53f 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -117,9 +117,7 @@ To check and repair errors on the system drive:
The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating.
-For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu).
-
-For Windows 10, the tool is [here](https://aka.ms/wudiag).
+[Download the tool for Windows 10](https://aka.ms/wudiag).
To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems.
@@ -204,7 +202,7 @@ To remove programs, use the same steps as are provided [above](#uninstall-non-mi
Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed.
-Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](/surface/manage-surface-driver-and-firmware-updates).
To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions.
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 3ae929c837..d2bec5e3f1 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -34,7 +34,7 @@ A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1
- Event logs: $Windows.~bt\Sources\Rollback\*.evtx
- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
-The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).
+The device install log is helpful if rollback occurs during the sysprep operation (extend code 0x30018).
To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
@@ -43,57 +43,57 @@ See the following general troubleshooting procedures associated with a result co
| Code | Mitigation | Cause |
| :--- | :--- | :--- |
-| 0xC1900101 - 0x20004 | Uninstall antivirus applications.
Remove all unused SATA devices.
Remove all unused devices and drivers.
Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
This is generally caused by out-of-date drivers. | -| 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
This is generally caused by out-of-date drivers | -| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).
Update or uninstall the problem drivers. | A driver has caused an illegal operation.
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
This can also be caused by a hardware failure. | +| 0xC1900101 - 0x20004 | Uninstall antivirus applications.
Remove all unused SATA devices.
Remove all unused devices and drivers.
Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
This is caused by out-of-date drivers. | +| 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
This is caused by out-of-date drivers | +| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).
Update or uninstall the problem drivers. | A driver has caused an illegal operation.
Windows wasn't able to migrate the driver, resulting in a rollback of the operating system.
This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
This can also be caused by a hardware failure. | | 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. | | 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
This can occur due to a problem with a display driver. | -| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Cannot recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. | -| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. | +| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example isn't representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Can't recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
Typically, there's a dump file for the crash to analyze. If you aren't equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. | +| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade can't complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you can't uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. | ## 0x800xxxxx -Result codes that start with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. +Result codes that start with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and aren't unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. See the following general troubleshooting procedures associated with a result code of 0x800xxxxx: | Code | Mitigation | Cause | | :--- | :--- | :--- | | 80040005 - 0x20007 | This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. | An unspecified error occurred with a driver during the SafeOS phase. | -| 0x80073BC3 - 0x20009
0x80070002 - 0x20009
0x80073B92 - 0x20009 | These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. | The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. | +| 0x80073BC3 - 0x20009
0x80070002 - 0x20009
0x80073B92 - 0x20009 | These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. | The requested system device can't be found, there's a sharing violation, or there are multiple devices matching the identification criteria. | | 800704B8 - 0x3001A | Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). | An extended error has occurred during the first boot phase. | -| 8007042B - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object. | The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This issue can occur due to file system, application, or driver issues. | -| 8007001F - 0x3000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
**Note**: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.| The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. | -| 8007001F - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device. | General failure, a device attached to the system is not functioning. | +| 8007042B - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that isn't able to be migrated. Disconnect, update, remove, or replace the device or object. | The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This issue can occur due to file system, application, or driver issues. | +| 8007001F - 0x3000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
**Note**: If a previous upgrade didn't complete, invalid profiles might exist in the **Windows.old\\Users** directory.
To repair this error, ensure that deleted accounts aren't still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.| The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. | +| 8007001F - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the device that isn't functioning properly. Disconnect, update, or replace the device. | General failure, a device attached to the system isn't functioning. | | 8007042B - 0x4001E | This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. | The installation failed during the second boot phase while attempting the PRE_OOBE operation. | ## Other result codes |Error code|Cause|Mitigation| |--- |--- |--- | -|0xC1800118|WSUS has downloaded content that it cannot use due to a missing decryption key.|See [Steps to resolve error 0xC1800118](/archive/blogs/wsus/resolving-error-0xc1800118) for information.| -|0xC1900200|Setup.exe has detected that the machine does not meet the minimum system requirements.|Ensure the system you are trying to upgrade meets the minimum system requirements. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for information.| -|0x80090011|A device driver error occurred during user data migration.|Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process.Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.| +|0xC1800118|WSUS has downloaded content that it can't use due to a missing decryption key.|See [Steps to resolve error 0xC1800118](/archive/blogs/wsus/resolving-error-0xc1800118) for information.| +|0xC1900200|Setup.exe has detected that the machine doesn't meet the minimum system requirements.|Ensure the system you're trying to upgrade meets the minimum system requirements. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for information.| +|0x80090011|A device driver error occurred during user data migration.|Contact your hardware vendor and get all the device drivers updated. It's recommended to have an active internet connection during upgrade process.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.| |0xC7700112|Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.|This issue is resolved in the latest version of Upgrade Assistant.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.| |0x80190001|An unexpected error was encountered while attempting to download files required for upgrade.|To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/software-download/windows10).| -|0x80246007|The update was not downloaded successfully.|Attempt other methods of upgrading the operating system.
Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/software-download/windows10).
Attempt to upgrade using .ISO or USB.
**Note:** Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).| +|0x80246007|The update wasn't downloaded successfully.|Attempt other methods of upgrading the operating system.
Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/software-download/windows10).
Attempt to upgrade using .ISO or USB.
**Note:** Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).| |0x80244018|Your machine is connected through a proxy server.|Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).| -|0xC1900201|The system did not pass the minimum requirements to install the update.|Contact the hardware vendor to get the latest updates.| +|0xC1900201|The system didn't pass the minimum requirements to install the update.|Contact the hardware vendor to get the latest updates.| |0x80240017|The upgrade is unavailable for this edition of Windows.|Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.| -|0x80070020|The existing process cannot access the file because it is being used by another process.|Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).| -|0x80070522|The user doesn’t have required privilege or credentials to upgrade.|Ensure that you have signed in as a local administrator or have local administrator privileges.| -|0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device does not resolve the issue, then use the Disk Cleanup utility and clean up the temporary files as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).| -|0xC1900209|The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information.
You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.| +|0x80070020|The existing process can't access the file because it's being used by another process.|Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).| +|0x80070522|The user doesn’t have required privilege or credentials to upgrade.|Ensure that you've signed in as a local administrator or have local administrator privileges.| +|0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device doesn't resolve the issue, then use the Disk Cleanup utility to clean up the temporary files and the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68).| +|0xC1900209|The user has chosen to cancel because the system doesn't pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information.
You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.| |0x8007002|This error is specific to upgrades using System Center 2012 Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
The error 80072efe means that the connection with the server was terminated abnormally.
To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| -|0x80240FFF|Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
- Disable the Upgrades classification.
- Install hotfix 3095113.
- Delete previously synched updates.
- Enable the Upgrades classification.
- Perform a full synch.
For detailed information on how to run these steps check out How to delete upgrades in WSUS.| -|0x8007007E|Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
Stop the Windows Update service.
- Sign in as a user with administrative privileges, and then do the following:
- Open Administrative Tools from the Control Panel.
- Double-click Services.
- Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.
Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
Restart the Windows Update service.| +|0x80240FFF|Occurs when update synchronization fails. It can occur when you're using Windows Server Update Services on its own or when it's integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
- Disable the Upgrades classification.
- Install hotfix 3095113.
- Delete previously synched updates.
- Enable the Upgrades classification.
- Perform a full synch.
For detailed information on how to run these steps check out How to delete upgrades in WSUS.| +|0x8007007E|Occurs when update synchronization fails because you don't have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you're using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
Stop the Windows Update service.
- Sign in as a user with administrative privileges, and then do the following:
- Open Administrative Tools from the Control Panel.
- Double-click Services.
- Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.
Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
Restart the Windows Update service.| ## Other error codes | Error Codes | Cause | Mitigation | | --- | --- | --- | |0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.| -|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade
Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).| +|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt or if there's an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Redownload the ISO/Media and reattempt the upgrade
Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).| |0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.| |0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.
Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.| |0xC1900200 - 0x20008|The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).| @@ -102,7 +102,7 @@ See the following general troubleshooting procedures associated with a result co |0xC1900101 - 0x4001E|Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.|This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.| |0x80070005 - 0x4000D|The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.|[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access denied.| |0x80070004 - 0x50012|Windows Setup failed to open a file.|[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access problems.| -|0xC190020e
0x80070070 - 0x50011
0x80070070 - 0x50012
0x80070070 - 0x60000|These errors indicate the computer does not have enough free space available to install the upgrade.|To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.**Note:** If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.| +|0xC190020e
0x80070070 - 0x50011
0x80070070 - 0x50012
0x80070070 - 0x60000|These errors indicate the computer doesn't have enough free space available to install the upgrade.|To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there isn't enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.**Note:** If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8 GB (16 GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards aren't migrated if the device doesn't support Connected Standby.| ## Modern setup errors @@ -110,10 +110,10 @@ Also see the following sequential list of modern setup (mosetup) error codes wit | Result code | Message | Description | | --- | --- | --- | -| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | +| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Verify the package contents. | | 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | | 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | -| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | +| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues weren't resolved within the required time limit. | | 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | | 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | | 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | @@ -131,7 +131,7 @@ Also see the following sequential list of modern setup (mosetup) error codes wit | 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | | 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | | 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | -| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | +| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted the EULA within the required time limit. | | 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | | 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download disk space issues were not resolved within the required time limit. | | 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install disk space issues were not resolved within the required time limit. | diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 9b42f69d51..c5c2dd15aa 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -62,7 +62,7 @@ As the authorized administrator, it is your responsibility to protect the privac - **Encrypting File System (EFS)** - Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For more information about EFS best practices, see this article in the [Microsoft Knowledge Base](https://go.microsoft.com/fwlink/p/?linkid=163). For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). + Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). **Important** If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 616679ded8..bd33a0fe0c 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -28,7 +28,7 @@ ms.topic: article For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. -- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) +- [Ask the Directory Services Team blog](/archive/blogs/askds/) - Forums: diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index e3d470f779..09bd64cb23 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -191,7 +191,7 @@ The deployment process for the replace scenario is as follows: - [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 95e0124031..b21f910bb4 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -132,18 +132,18 @@ Now that the devices have Windows 10/11 Enterprise, you can implement Device Gu For more information about implementing Device Guard, see: -- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) +- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) - [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) ### AppLocker management -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10/11 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide). ### App-V -App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: +App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows: - **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. @@ -158,7 +158,7 @@ For more information about implementing the App-V server, App-V sequencer, and A - [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) ### UE-V -UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: +UE-V requires server- and client-side components that you’ll need to download, activate, and install. These components include: - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index e38f173747..7b2c202eac 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -18,7 +18,7 @@ ms.collection: highpri # Windows 10 deployment scenarios and tools -To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. +To successfully deploy the Windows 10 operating system and applications for your organization, it's essential that you know about the available tools to help with the process. In this topic, you'll learn about the most commonly used tools for Windows 10 deployment. Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It's when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. @@ -27,7 +27,7 @@ In this topic, you also learn about different types of reference images that you ## Windows Assessment and Deployment Kit -Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). +Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more information, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).  @@ -61,7 +61,7 @@ For more information on DISM, see [DISM technical reference](/windows-hardware/m USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process. **Note** -Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works. +Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you'll learn below, using USMT isn't difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it's easy to use. With MDT, you do nothing at all and USMT just works. @@ -89,16 +89,16 @@ By default USMT migrates many settings, most of which are related to the user pr - Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. **Note** - The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. + The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use aren't migrated by default. - Operating system component settings - Application settings -These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md). +These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more information on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md). ### Windows Imaging and Configuration Designer -Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image. +Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for reimaging the device with a custom image.  @@ -108,7 +108,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/ ### Windows System Image Manager (Windows SIM) -Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don't need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. +Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don't need Windows SIM often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.  @@ -142,12 +142,12 @@ The key thing to know about Windows PE is that, like the operating system, it ne A machine booted with the Windows ADK default Windows PE boot image. -For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). +For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). ## Windows Recovery Environment -Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. +Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE.  @@ -158,17 +158,17 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows- ## Windows Deployment Services -Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. +Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you'll use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.  Windows Deployment Services using multicast to deploy three machines. -In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management. +In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you'll use them instead. In WDS, it's possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management. ### Trivial File Transfer Protocol (TFTP) configuration -In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting. +In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—wasn't user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting. Also, there are a few new features related to TFTP performance: @@ -201,7 +201,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm ## Microsoft Security Compliance Manager 2013 -[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer. +[Microsoft SCM](https://www.microsoft.com/download/details.aspx?id=53353) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.  @@ -248,14 +248,14 @@ For more information on WSUS, see the [Windows Server Update Services Overview]( ## Unified Extensible Firmware Interface -For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. +For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. ### Introduction to UEFI BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including: - 16-bit code -- 1 MB address space +- 1-MB address space - Poor performance on ROM initialization - MBR maximum bootable disk size of 2.2 TB @@ -264,17 +264,17 @@ As the replacement to BIOS, UEFI has many features that Windows can and will use With UEFI, you can benefit from: - **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. -- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. +- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. - **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. - **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. -- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. -- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. +- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. +- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. - **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. -- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader. +- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. ### Versions -UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. +UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. ### Hardware support for UEFI @@ -283,22 +283,22 @@ In regard to UEFI, hardware is divided into four device classes: - **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device. - **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. - **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. +- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. ### Windows support for UEFI Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers. -With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. +With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI doesn't support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. ### How UEFI is changing operating system deployment There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices: - Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. -- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. -- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB. -- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit). +- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. +- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. +- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md deleted file mode 100644 index c56d9a43c6..0000000000 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Microsoft Security Compliance Toolkit 1.0 -description: This article describes how to use the Security Compliance Toolkit 1.0 in your organization -keywords: virtualization, security, malware -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: dansimp -author: dulcemontemayor -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 11/21/2019 -ms.reviewer: -ms.technology: windows-sec ---- - -# Microsoft Security Compliance Toolkit 1.0 Usage - -## What is the Security Compliance Toolkit (SCT)? - -The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. - -The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy. - - -The Security Compliance Toolkit consists of: - -- Windows 10 security baselines - - Windows 10, Version 21H1 (May 2021 Update) - - Windows 10, Version 20H2 (October 2020 Update) - - Windows 10, Version 2004 (May 2020 Update) - - Windows 10, Version 1909 (November 2019 Update) - - Windows 10, Version 1809 (October 2018 Update) - - Windows 10, Version 1607 (Anniversary Update) - - Windows 10, Version 1507 - -- Windows Server security baselines - - Windows Server 2022 - - Windows Server 2019 - - Windows Server 2016 - - Windows Server 2012 R2 - -- Microsoft Office security baseline - - Microsoft 365 Apps for enterprise, Version 2104 - -- Microsoft Edge security baseline - - Version 93 - -- Windows Update security baseline - - Windows 10 20H2 and below (October 2020 Update) - -- Tools - - Policy Analyzer tool - - Local Group Policy Object (LGPO) tool - - Set Object Security tool - - GPO to PolicyRules tool - -- Scripts - - Baseline-ADImport.ps1 - - Baseline-LocalInstall.ps1 - - Remove-EPBaselineSettings.ps1 - - MapGuidsToGpoNames.ps1 - - -You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines). - -## What is the Policy Analyzer tool? - -The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include: -- Highlight when a set of Group Policies has redundant settings or internal inconsistencies -- Highlight the differences between versions or sets of Group Policies -- Compare GPOs against current local policy and local registry settings -- Export results to a Microsoft Excel spreadsheet - -Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. - -More information on the Policy Analyzer tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). - -## What is the Local Group Policy Object (LGPO) tool? - -LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. -Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. -LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. -It can export local policy to a GPO backup. -It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. - -Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). - -## What is the Set Object Security tool? - -SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value. - -Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). - -## What is the GPO to Policy Rules tool? - -Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download. - -Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index aa10905181..0274a768dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 ms.technology: windows-sec --- @@ -69,6 +68,20 @@ The following table contains information about the events that you can use to de | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| | 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| | 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| +| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.| +| 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| +| 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| +| 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| +| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| +| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit Applocker Policy. | Added in Windows Server 2016 and Windows 10.| +| 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| +| 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| +| 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.| +| 8037 | Information | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.| +| 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10.| +| 8039 | Warning | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.| +| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.| + ## Related topics diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 3525284dcd..3058486461 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -46,7 +46,6 @@ The Security Compliance Toolkit consists of: - Microsoft Office security baseline - Microsoft 365 Apps for Enterprise Version 2112 - - Office 2016 - Microsoft Edge security baseline - Edge version 98 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 766f8e4345..3c1c1c14e2 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -41,7 +41,7 @@ AppLocker was available for Windows 8.1, and is improved with Windows 10. See [R Enhancements to AppLocker in Windows 10 include: - A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server. [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -76,9 +76,9 @@ In Windows 10, security auditing has added some improvements: In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: - [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. +- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs is included in the event. #### More info added to existing audit events @@ -126,7 +126,7 @@ The logon event ID 4688 has been updated to include more verbose information to 2. **TargetUserName** String The account name of the target user. 3. **TargetDomainName** String - The domain of the target user.. + The domain of the target user. 4. **TargetLogonId** String The logon ID of the target user. 5. **ParentProcessName** String @@ -165,7 +165,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. -[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). +[Learn how to manage your security audit policies within your organization](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319078(v=ws.11)) ### Trusted Platform Module @@ -196,7 +196,7 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). +For more info about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). In Windows 10, User Account Control has added some improvements: diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 76b3dae302..354488f563 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -118,12 +118,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat Several new features and management options have been added to Windows Defender in this version of Windows 10. -- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. +- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. ### Microsoft Defender for Endpoint diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index e906337f68..40a615660a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -200,7 +200,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti - You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). [Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). @@ -362,7 +362,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. @@ -532,7 +532,7 @@ In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnost ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) @@ -578,7 +578,7 @@ Users attempt to connect to a Miracast receiver as they did previously. When the - Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. - No changes to current wireless drivers or PC hardware are required. - It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. +- It leverages an existing connection that both reduces the time to connect and provides a very stable stream. #### Enabling Miracast over Infrastructure diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 6be3ca4505..8384e85778 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -46,7 +46,7 @@ For information about tools to evaluate readiness, see [Determine eligibility](w ## Operating system requirements -For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 2004 or later. +Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11. > [!NOTE] > S mode is only supported on the Home edition of Windows 11.