diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b359a5d989..6ba49fc316 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -5167,7 +5167,7 @@ }, { "source_path": "windows/device-security/security-compliance-toolkit-10.md", - "redirect_url": "/windows/security/threat-protection/security-compliance-toolkit-10", + "redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10", "redirect_document_id": false }, { @@ -19505,6 +19505,11 @@ "redirect_url": "/education/", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md", + "redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10", + "redirect_document_id": false + }, { "source_path": "windows/education/developers.yml", "redirect_url": "/education/", diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index 54276502a1..c9dd04c446 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -77,7 +77,7 @@ landingContent: - linkListType: download links: - text: NSS Labs web browser security reports - url: https://www.microsoft.com/download/details.aspx?id=54773 + url: https://www.microsoft.com/download/details.aspx?id=58080 - linkListType: overview links: - text: Microsoft Edge sandbox diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 68b6be4505..27e231694f 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -46,8 +46,6 @@ landingContent: url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681 - text: 'Windows 10: Top Features for IT Pros' url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965 - - text: Manage and modernize Internet Explorer with Enterprise Mode - url: https://channel9.msdn.com/events/teched/newzealand/2014/pcit307 - text: 'Virtual Lab: Enterprise Mode' url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02 diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 6a7469a644..0f7ca6f332 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,12 +2,9 @@ -## Week of March 14, 2022 +## Week of April 18, 2022 | Published On |Topic title | Change | |------|------------|--------| -| 3/18/2022 | Educator Trial in a Box Guide | removed | -| 3/18/2022 | Microsoft Education Trial in a Box | removed | -| 3/18/2022 | IT Admin Trial in a Box Guide | removed | -| 3/18/2022 | Microsoft Education Trial in a Box Support | removed | +| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 66569c4674..2e01f756fe 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -486,8 +486,8 @@ Table 9. Management systems and deployment resources |Windows provisioning packages|
The root node for the Policy configuration service provider. +The root node for the Policy configuration service provider. -
Supported operation is Get. +Supported operation is Get. **Policy/Config** -
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value. -
Supported operation is Get. +Supported operation is Get. **Policy/Config/_AreaName_** -
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/Config/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +Specifies the name/value pair used in the policy. -
The following list shows some tips to help you when configuring policies: +The following list shows some tips to help you when configuring policies: -- Separate substring values by the Unicode &\#xF000; in the XML file. +- Separate substring values by the Unicode &\#xF000; in the XML file. -> [!NOTE] -> A query from a different caller could provide a different value as each caller could have different values for a named policy. + > [!NOTE] + > A query from a different caller could provide a different value as each caller could have different values for a named policy. -- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. -- Supported operations are Add, Get, Delete, and Replace. -- Value type is string. +- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. +- Supported operations are Add, Get, Delete, and Replace. +- Value type is string. **Policy/Result** -
Groups the evaluated policies from all providers that can be configured. +Groups the evaluated policies from all providers that can be configured. -
Supported operation is Get. +Supported operation is Get. **Policy/Result/_AreaName_** -
The area group that can be configured by a single technology independent of the providers. +The area group that can be configured by a single technology independent of the providers. -
Supported operation is Get. +Supported operation is Get. **Policy/Result/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +Specifies the name/value pair used in the policy. -
Supported operation is Get. +Supported operation is Get. **Policy/ConfigOperations** -
Added in Windows 10, version 1703. The root node for grouping different configuration operations. +Added in Windows 10, version 1703. The root node for grouping different configuration operations. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall
. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
+Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall
. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}
.
+ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}
.
-
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_** -
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. +Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. +Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. -
Supported operations are Add and Get. Does not support Delete. +Supported operations are Add and Get. Does not support Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. +Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. -
Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. - -
Supported operations are Add and Get. Does not support Delete. +Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. +Supported operations are Add and Get. Does not support Delete. ## Policies diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 53f46805cf..f23dbf7f6b 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - AboveLock - -
If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. -- 1 – Allowed. Add up to five additional search engines and set any one of them as the default.
For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). +- 1 – Allowed. Add up to five more search engines and set any one of them as the default.
For each search engine added, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Most restricted value: 0 @@ -1871,7 +1871,7 @@ Supported values: - If it’s one of many apps, Microsoft Edge runs as normal. **1**: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you don't configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -2113,7 +2113,7 @@ Most restricted value: 0 [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../includes/disable-lockdown-of-start-pages-shortdesc.md)] > [!NOTE] -> This policy has no effect when the Browser/HomePages policy is not configured. +> This policy has no effect when the Browser/HomePages policy isn't configured. > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). @@ -2235,7 +2235,7 @@ ADMX Info: Supported values: -- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. +- 0 (default) - Turned off. Microsoft Edge doesn't check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. - 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.
For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp).
@@ -2312,13 +2312,13 @@ Supported values:
[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)]
**Version 1607** _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_ After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
+- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off: _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_ After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list doesn't uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy doesn't prevent users from debugging and altering the logic on an extension.
@@ -2933,7 +2933,7 @@ ADMX Info:
Supported values:
- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically.
-- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser. A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab. Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser. A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it isn't yet running, or in a new tab. Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add. If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**. If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
+- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users can't change the default search engine. Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add. If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**. If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
Most restricted value: 1
@@ -3160,9 +3160,9 @@ ADMX Info:
Supported values:
-- 0 (default) – No additional message displays.
-- 1 – Show an additional message stating that a site has opened in IE11.
-- 2 - Show an additional message with a "Keep going in Microsoft Edge" link.
+- 0 (default) – No other message displays.
+- 1 – Show another message stating that a site has opened in IE11.
+- 2 - Show another message with a "Keep going in Microsoft Edge" link.
Most restricted value: 0
@@ -3198,8 +3198,8 @@ Most restricted value: 0
-This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls.
-By default, a notification will be presented to the user informing them of this upon application startup.
+This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls.
+By default, a notification will be presented to the user informing them of this update upon application startup.
With this policy, you can either allow (default) or suppress this notification.
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index a88970a383..48876d706e 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -82,11 +82,11 @@ You can specify either a default setting for all apps or a per-app setting by sp
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
-If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it.
+If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization can't change it.
-If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it.
+If you choose the "Force Deny" option, Windows apps aren't allowed to access cellular data and employees in your organization can't change it.
-If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
+If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.”
@@ -271,7 +271,7 @@ ADMX Info:
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.
If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
-If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.
+If this policy setting is disabled or isn't configured, the link to the per-application cellular access control page is shown by default.
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index a4eb170e5c..d5df4315c1 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -105,9 +105,9 @@ manager: dansimp
Allows the user to enable Bluetooth or restrict access.
> [!NOTE]
-> This value is not supported in Windows 10.
+> This value isn't supported in Windows 10.
-If this is not set or it is deleted, the default value of 2 (Allow) is used.
+If this policy isn't set or is deleted, the default value of 2 (Allow) is used.
Most restricted value is 0.
@@ -115,9 +115,9 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on.
-- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+- 0 – Disallow Bluetooth. If the value is set to 0, the radio in the Bluetooth control panel will be grayed out and the user won't be able to turn on Bluetooth.
+- 1 – Reserved. If the value is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth.
+- 2 (default) – Allow Bluetooth. If the value is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth.
@@ -151,15 +151,15 @@ The following list shows the supported values:
-Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
+Allows the cellular data channel on the device. Device reboot isn't required to enforce the policy.
The following list shows the supported values:
-- 0 – Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511.
+- 0 – Don't allow the cellular data channel. The user can't turn it on. This value isn't supported in Windows 10, version 1511.
- 1 (default) – Allow the cellular data channel. The user can turn it off.
-- 2 - Allow the cellular data channel. The user cannot turn it off.
+- 2 - Allow the cellular data channel. The user can't turn it off.
@@ -193,7 +193,7 @@ The following list shows the supported values:
-Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
+Allows or disallows cellular data roaming on the device. Device reboot isn't required to enforce the policy.
Most restricted value is 0.
@@ -209,15 +209,15 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511.
+- 0 – Don't allow cellular data roaming. The user can't turn it on. This value isn't supported in Windows 10, version 1511.
- 1 (default) – Allow cellular data roaming.
-- 2 - Allow cellular data roaming on. The user cannot turn it off.
+- 2 - Allow cellular data roaming on. The user can't turn it off.
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-To validate on devices, do the following:
+To validate on devices, perform the following steps:
1. Go to Cellular & SIM.
2. Click on the SIM (next to the signal strength icon) and select **Properties**.
@@ -301,8 +301,8 @@ The following list shows the supported values:
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.
-If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'.
-If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device isn't allowed to be linked to phones, will remove itself from the device list of any linked Phones, and can't participate in 'Continue on PC experiences'.
+If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
@@ -314,14 +314,14 @@ ADMX Info:
This setting supports a range of values between 0 and 1.
-- 0 - Do not link
+- 0 - Don't link
- 1 (default) - Allow phone-PC linking
Validation:
-If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
+If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it won't launch the window for a user to enter their phone number.
Device that has previously opt-in to MMX will also stop showing on the device list.
@@ -360,7 +360,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
-Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
+Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy doesn't affect USB charging.
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
@@ -413,7 +413,7 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – VPN is not allowed over cellular.
+- 0 – VPN isn't allowed over cellular.
- 1 (default) – VPN can use any connection, including cellular.
@@ -493,13 +493,13 @@ The following list shows the supported values:
This policy setting specifies whether to allow printing over HTTP from this client.
-Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
+Printing over HTTP allows a client to print to printers on the intranet and the Internet.
-Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+Note: This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
-If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP.
+If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP.
Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
@@ -549,11 +549,11 @@ This policy setting specifies whether to allow this client to download print dri
To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
-Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
+Note: This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that aren't already installed locally.
-If you enable this policy setting, print drivers cannot be downloaded over HTTP.
+If you enable this policy setting, print drivers can't be downloaded over HTTP.
-If you disable or do not configure this policy setting, users can download print drivers over HTTP.
+If you disable or don't configure this policy setting, users can download print drivers over HTTP.
@@ -601,11 +601,11 @@ This policy setting specifies whether Windows should download a list of provider
These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
-If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
+If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed.
-If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
+If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards.
-See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
+For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards.
@@ -695,7 +695,7 @@ ADMX Info:
This policy setting configures secure access to UNC paths.
-If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
+If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling other security requirements.
@@ -741,11 +741,11 @@ ADMX Info:
Determines whether a user can install and configure the Network Bridge.
-Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply.
The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder.
-If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
+If you disable this setting or don't configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting doesn't remove an existing Network Bridge from the user's computer.
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 12fbbf04b0..e66ffbee8b 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -71,9 +71,9 @@ The following list shows the supported values:
- 0 (default)
- 1 - The MDM policy is used and the GP policy is blocked.
-The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
+The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the first set of the policy. This activation ensures that:
-- GP settings that correspond to MDM applied settings are not conflicting
+- GP settings that correspond to MDM applied settings aren't conflicting
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index 87b03eb667..da8c5cd222 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -65,11 +65,11 @@ manager: dansimp
Remote host allows delegation of non-exportable credentials
-When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
+When credential delegation is being used, devices provide an exportable version of credentials to the remote host. This version exposes users to the risk of credential theft from attackers on the remote host.
If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
-If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
+If you disable or don't configure this policy setting, Restricted Administration and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host.
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 2b0be6c478..f242322253 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -68,9 +68,9 @@ manager: dansimp
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
-If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
+If you enable this policy setting, the password reveal button won't be displayed after a user types a password in the password entry text box.
-If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
+If you disable or don't configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
@@ -118,7 +118,7 @@ ADMX Info:
-This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
+This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts aren't displayed when the user attempts to elevate a running application.
If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 4e05320c00..7a37cafe94 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -610,7 +610,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
-Allows or disallows Windows Defender Realtime Monitoring functionality.
+Allows or disallows Windows Defender real-time Monitoring functionality.
@@ -761,7 +761,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
-Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed.
@@ -863,7 +863,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 for desktop.
-This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (Azure Site Recovery) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
@@ -966,11 +966,11 @@ Valid values: 0–100
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
-This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
+This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
If you enable this setting, a check for new definitions will occur before running a scan.
-If you disable this setting or do not configure this setting, the scan will start using the existing definitions.
+If you disable this setting or don't configure this setting, the scan will start using the existing definitions.
Supported values:
@@ -1057,7 +1057,7 @@ The following list shows the supported values:
- 0x0 - Default windows defender blocking level
- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
-- 0x4 - High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
+- 0x4 - High+ blocking level – aggressively block unknowns and apply more protection measures (may impact client performance)
- 0x6 - Zero tolerance blocking level – block all unknown executables
@@ -1097,7 +1097,7 @@ The following list shows the supported values:
This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
-The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
+The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds.
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
@@ -1148,7 +1148,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
-Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it won't be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
@@ -1194,7 +1194,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+This policy setting allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can't be changed. Value type is string. Use the | as the substring separator.
@@ -1244,7 +1244,7 @@ ADMX Info:
Time period (in days) that quarantine items will be stored on the system.
-The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+The default value is 0, which keeps items in quarantine, and doesn't automatically remove them.
@@ -1293,9 +1293,9 @@ Valid values: 0–90
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
+If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
-If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
+If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off.
Supported values:
@@ -1356,9 +1356,9 @@ ADMX Info:
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
+If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
-If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
+If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned off.
Supported values:
@@ -1475,7 +1475,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul
If you enable this setting, low CPU priority will be used during scheduled scans.
-If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
+If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans.
Supported values:
@@ -1535,13 +1535,13 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+This policy allows you to turn on network protection (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This protection includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
-If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
-If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
-If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
-If you do not configure this policy, network blocking will be disabled by default.
+If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You'll be able to see this activity in Windows Defender Security Center.
+If you enable this policy with the ""Audit"" option, users/apps won't be blocked from connecting to dangerous domains. However, you'll still see this activity in Windows Defender Security Center.
+If you disable this policy, users/apps won't be blocked from connecting to dangerous domains. You'll not see any network activity in Windows Defender Security Center.
+If you don't configure this policy, network blocking will be disabled by default.
@@ -1761,8 +1761,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
-- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
+- 0 (default) – PUA Protection off. Windows Defender won't protect against potentially unwanted applications.
+- 1 – PUA Protection on. Detected items are blocked. They'll show in history along with other threats.
- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
@@ -2095,7 +2095,7 @@ Valid values: 0–1380.
This policy setting allows you to define the security intelligence location for VDI-configured computers.
-If you disable or do not configure this setting, security intelligence will be referred from the default local source.
+If you disable or don't configure this setting, security intelligence will be referred from the default local source.
@@ -2155,9 +2155,9 @@ Possible values are:
For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC
-If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
-If you disable or do not configure this setting, definition update sources will be contacted in a default order.
+If you disable or don't configure this setting, definition update sources will be contacted in a default order.
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder
@@ -2217,9 +2217,9 @@ For example: \\unc1\Signatures | \\unc2\Signatures
The list is empty by default.
-If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
-If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
+If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted.
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 43ad826d3d..ba4c441b84 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -204,7 +204,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
-Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This policy means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
@@ -310,7 +310,7 @@ ADMX Info:
-This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+This policy allows you to configure one or more Delivery Optimizations in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
@@ -374,7 +374,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a
This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
-After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
+After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from peers. A download that is waiting for peer sources will appear to be stuck for the end user. The recommended value is 1 hour (3600).
@@ -529,9 +529,9 @@ Supported values: 0 - one month (in seconds)
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
-After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
+After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
-Note that a download that is waiting for peer sources, will appear to be stuck for the end user.
+A download that is waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
@@ -550,7 +550,7 @@ The following list shows the supported values as number of seconds:
- 0 to 86400 (1 day)
- 0 - managed by the cloud service
-- Default is not configured.
+- Default isn't configured.
@@ -607,8 +607,8 @@ The following list shows the supported values:
- 1 (default) – HTTP blended with peering behind the same NAT.
- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 – HTTP blended with Internet peering.
-- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
-- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
+- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
+- 100 - Bypass mode. Don't use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. This value is deprecated and will be removed in a future release.
@@ -645,7 +645,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
-This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
+This policy specifies an arbitrary group ID that the device belongs to. Use this ID if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. This approach is a best effort optimization and shouldn't be relied on for an authentication of identity.
> [!NOTE]
> You must use a GUID as the group ID.
@@ -701,7 +701,7 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
-Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this task, set the value of DOGroupIdSource to 5.
@@ -802,7 +802,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607.
The default value is 259200 seconds (3 days).
@@ -947,7 +947,7 @@ ADMX Info:
-This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which is not used in commercial deployments. There is no alternate policy to use.
+This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which isn't used in commercial deployments. There's no alternate policy to use.
@@ -1332,7 +1332,7 @@ ADMX Info:
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
-Note that downloads from LAN peers will not be throttled even when this policy is set.
+Downloads from LAN peers won't be throttled even when this policy is set.
@@ -1390,12 +1390,12 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
-Note that downloads from LAN peers will not be throttled even when this policy is set.
+Downloads from LAN peers won't be throttled even when this policy is set.
ADMX Info:
-- GP Friendly namee: *Maximum Foreground Download Bandwidth (percentage)*
+- GP Friendly name: *Maximum Foreground Download Bandwidth (percentage)*
- GP name: *PercentageMaxForegroundBandwidth*
- GP element: *PercentageMaxForegroundBandwidth*
- GP path: *Windows Components/Delivery Optimization*
@@ -1499,7 +1499,7 @@ ADMX Info:
-This policy allows an IT Admin to define the following:
+This policy allows an IT Admin to define the following details:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for background traffic during business hours
@@ -1551,7 +1551,7 @@ ADMX Info:
-This policy allows an IT Admin to define the following:
+This policy allows an IT Admin to define the following details:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 94bb5c7ab0..7a2f5f914a 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -63,14 +63,14 @@ manager: dansimp
-DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service which requires it.
+DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it.
The following list shows the supported values:
-- 1 — The DeviceHealthMonitoring connection is enabled.
-- 0 (default) — The DeviceHealthMonitoring connection is disabled.
+- 1—The DeviceHealthMonitoring connection is enabled.
+- 0 (default)—The DeviceHealthMonitoring connection is disabled.
@@ -112,7 +112,7 @@ The following list shows the supported values:
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
-IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
+IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
@@ -158,7 +158,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
-In most cases, an IT Pro does not need to define this policy. Instead, it is expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service.
+In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service.
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5f1a7bd17d..0cc81579bc 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -96,15 +96,15 @@ When this policy setting is enabled together with the "Apply layered order of ev
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -146,7 +146,7 @@ To enable this policy, use the following SyncML. This example allows Windows to
```
-To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@@ -197,16 +197,16 @@ This policy setting allows you to specify a list of Plug and Play device instanc
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
- Prevent installation of devices that match any of these device instance IDs
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -246,7 +246,7 @@ To enable this policy, use the following SyncML.
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
``` txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
@@ -299,16 +299,16 @@ When this policy setting is enabled together with the "Apply layered order of ev
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -355,7 +355,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
```
-To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@@ -421,7 +421,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
-If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
@@ -457,7 +457,7 @@ ADMX Info:
```
-To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@@ -468,7 +468,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
```
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
-:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image.":::
+:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
@@ -506,9 +506,9 @@ You can also change the evaluation order of device installation policy settings
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
-If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
+If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
-If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
+If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
@@ -561,14 +561,14 @@ ADMX Info:
-This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.
+This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting.
> [!NOTE]
-> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
+> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
-If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
+If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
-If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
+If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
@@ -585,7 +585,7 @@ ADMX Info:
-To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting.
+To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting.
```xml
@@ -607,7 +607,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@@ -661,7 +661,7 @@ This policy setting allows you to specify a list of Plug and Play hardware IDs a
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -703,7 +703,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@@ -756,7 +756,7 @@ This policy setting allows you to specify a list of Plug and Play device instanc
If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -795,7 +795,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
``` txt
>>> [Device Installation Restrictions Policy Check]
@@ -819,7 +819,7 @@ Replace
with
```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0```
> [!Note]
- > Do not use spaces in the value.
+ > don't use spaces in the value.
3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
@@ -864,7 +864,7 @@ This policy setting allows you to specify a list of device setup class globally
If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
+If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -911,7 +911,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 2168317903..750efe50ed 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -152,7 +152,7 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th
> This policy must be wrapped in an Atomic command.
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -377,16 +377,16 @@ Specifies when the password expires (in days).
-If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
The following list shows the supported values:
- An integer X where 0 <= X <= 730.
-- 0 (default) - Passwords do not expire.
+- 0 (default) - Passwords don't expire.
@@ -425,11 +425,11 @@ Specifies how many passwords can be stored in the history that can’t be used.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
Max policy value is the most restricted.
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -470,7 +470,7 @@ The following list shows the supported values:
-Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
+Specifies the default lock screen and sign-in image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and sign-in screens. Users won't be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
@@ -516,14 +516,14 @@ The number of authentication failures allowed before the device will be wiped. A
> This policy must be wrapped in an Atomic command.
-On a client device, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
+On a client device, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -573,7 +573,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -651,9 +651,9 @@ Enforced values for Local and Microsoft Accounts:
- Base 10 digits (0 through 9)
- Special characters (!, $, \#, %, etc.)
-The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
+The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
@@ -698,7 +698,7 @@ Specifies the minimum number or characters required in the PIN or password.
Max policy value is the most restricted.
-For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
@@ -767,7 +767,7 @@ This security setting determines the period of time (in days) that a password mu
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
-Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
+Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default.
@@ -811,7 +811,7 @@ Disables the lock screen camera toggle switch in PC Settings and prevents a came
By default, users can enable invocation of an available camera on the lock screen.
-If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.
+If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen.
> [!TIP]
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 5fcf63a361..f3f60dd44f 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -113,19 +113,19 @@ ADMX Info:
-Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows.
+Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows.
-When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows.
+When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows.
-Be aware of the following:
+Be aware of the following points:
-Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
+Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display having the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
-Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays.
+Per Process System DPI won't work for all applications as some older desktop applications will always be blurry on high DPI displays.
In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
-Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or do not configure this setting. Per Process System DPI will not apply to any processes on the system.
+Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system.
@@ -218,13 +218,13 @@ ADMX Info:
-GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
-If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they're enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
+If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
@@ -239,7 +239,7 @@ ADMX Info:
-To validate on Desktop, do the following:
+To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
@@ -276,13 +276,13 @@ To validate on Desktop, do the following:
-GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
-If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
@@ -297,7 +297,7 @@ ADMX Info:
-To validate on Desktop, do the following:
+To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which uses GDI.
2. Run the app and observe crisp text.
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 336c23a5cb..1258127e5e 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DmaGuard
-description: Learn how to use the Policy CSP - DmaGuard setting to provide additional security against external DMA capable devices.
+description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -56,11 +56,11 @@ manager: dansimp
-This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
+This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
-Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
+Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
+This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
> [!NOTE]
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 4bd0742e0b..f846573eda 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Education
-description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
+description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -65,7 +65,7 @@ manager: dansimp
-This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality.
+This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality.
ADMX Info:
@@ -147,7 +147,7 @@ The policy value is expected to be the name (network host name) of an installed
-Allows IT Admins to prevent user installation of additional printers from the printers settings.
+Allows IT Admins to prevent user installation of more printers from the printers settings.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 4e5f16f246..37d4c94e64 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -75,19 +75,19 @@ manager: dansimp
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
-If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
+If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those even types for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
-- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
+- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any extra data requested by Microsoft.
-- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
+- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send any extra data requested by Microsoft.
- 4 (Send all data): Any data requested by Microsoft is sent automatically.
-If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
+If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting.
@@ -129,11 +129,11 @@ ADMX Info:
-This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
+This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
-If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
+If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel.
-If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
+If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
@@ -179,9 +179,9 @@ This policy setting controls whether users are shown an error dialog box that le
If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
-If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
+If you disable this policy setting, users aren't notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that don't have interactive users.
-If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
+If you don't configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
See also the Configure Error Reporting policy setting.
@@ -225,11 +225,11 @@ ADMX Info:
-This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
+This policy setting controls whether extra data in support of error reports can be sent to Microsoft automatically.
-If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
+If you enable this policy setting, any extra data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
-If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
+If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
@@ -273,9 +273,9 @@ ADMX Info:
This policy setting prevents the display of the user interface for critical errors.
-If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
+If you enable this policy setting, Windows Error Reporting doesn't display any GUI-based error messages or dialog boxes for critical errors.
-If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
+If you disable or don't configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 9e1e22c296..ced6ab68a9 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EventLogService
-description: Learn how to use the Policy CSP - EventLogService settting to control Event Log behavior when the log file reaches its maximum size.
+description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -67,9 +67,9 @@ manager: dansimp
This policy setting controls Event Log behavior when the log file reaches its maximum size.
-If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
+If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
-If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
+If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
@@ -115,9 +115,9 @@ ADMX Info:
This policy setting specifies the maximum size of the log file in kilobytes.
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments.
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
@@ -161,9 +161,9 @@ ADMX Info:
This policy setting specifies the maximum size of the log file in kilobytes.
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments.
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
@@ -207,9 +207,9 @@ ADMX Info:
This policy setting specifies the maximum size of the log file in kilobytes.
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments.
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index cb785576ec..b115b5df8c 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -155,7 +155,7 @@ ADMX Info:
1. Configure Experiences/AllowClipboardHistory to 0.
1. Open Notepad (or any editor app), select a text, and copy it to the clipboard.
1. Press Win+V to open the clipboard history UI.
-1. You should not see any clipboard item including current item you copied.
+1. You shouldn't see any clipboard item including current item you copied.
1. The setting under Settings App->System->Clipboard should be grayed out with policy warning.
@@ -241,7 +241,7 @@ The following list shows the supported values:
Allows users to turn on/off device discovery UX.
-When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
+When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys won't work on.
Most restricted value is 0.
@@ -287,7 +287,7 @@ This policy turns on Find My Device.
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
-When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+When Find My Device is off, the device and its location aren't registered and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device.
@@ -335,7 +335,7 @@ The following list shows the supported values:
-Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect.
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.
@@ -398,7 +398,7 @@ This policy is deprecated.
-Describe what value are supported in by this policy and meaning of each value is default value.
+Describe what values are supported in by this policy and meaning of each value is default value.
@@ -443,7 +443,7 @@ This policy is deprecated.
-Describes what value are supported in by this policy and meaning of each value is default value.
+Describes what values are supported in by this policy and meaning of each value is default value.
@@ -482,7 +482,7 @@ Allows or disallows all Windows sync settings on the device. For information abo
The following list shows the supported values:
-- 0 – Sync settings are not allowed.
+- 0 – Sync settings aren't allowed.
- 1 (default) – Sync settings allowed.
@@ -517,12 +517,12 @@ The following list shows the supported values:
-This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
+This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows won't use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or don't configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
> [!NOTE]
-> This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
+> This setting doesn't control Cortana cutomized experiences because there are separate policies to configure it.
Most restricted value is 0.
@@ -682,7 +682,7 @@ The following list shows the supported values:
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
+Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
Most restricted value is 0.
@@ -733,7 +733,7 @@ The following list shows the supported values:
-This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
+This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or don't configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
Most restricted value is 0.
@@ -837,7 +837,7 @@ The following list shows the supported values:
This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
-The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
+The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
Most restricted value is 0.
@@ -942,7 +942,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
- 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition.
- 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings.
- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
-- 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
+- 3 - Disabled: The Chat icon won't be displayed, and users can't show or hide it in Settings.
> [!NOTE]
> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts.
@@ -982,7 +982,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
@@ -1033,7 +1033,7 @@ This policy setting lets you turn off cloud optimized content in all Windows exp
If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content.
-If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content.
+If you disable or don't configure this policy setting, Windows experiences will be able to use cloud optimized content.
@@ -1083,9 +1083,9 @@ The following list shows the supported values:
Prevents devices from showing feedback questions from Microsoft.
-If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
+If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or don't configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
-If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+If you disable or don't configure this policy setting, users can control how often they receive feedback questions.
@@ -1099,7 +1099,7 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
+- 0 (default) – Feedback notifications aren't disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
- 1 – Feedback notifications are disabled.
@@ -1151,7 +1151,7 @@ ADMX Info:
Supported values:
- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes.
-- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
+- 2 - Prevented/turned off. The "browser" group doesn't use the _Sync your Settings_ option.
_**Sync the browser settings automatically**_
@@ -1291,7 +1291,7 @@ If you enable this policy setting, the lock option is shown in the User Tile men
If you disable this policy setting, the lock option is never shown in the User Tile menu.
-If you do not configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel.
+If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel.
@@ -1304,7 +1304,7 @@ ADMX Info:
Supported values:
-- false - The lock option is not displayed in the User Tile menu.
+- false - The lock option isn't displayed in the User Tile menu.
- true (default) - The lock option is displayed in the User Tile menu.
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 4c736050b2..c2b205ad92 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -58,11 +58,11 @@ manager: dansimp
This policy allows an enterprise to configure the default mode for the handwriting panel.
-The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
+The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
-In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
+In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction.
-The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
+The docked mode is especially useful in Kiosk mode where you don't expect the end-user to drag the flying-in panel out of the way.
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 95b4864abc..f8ed8cecde 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -85,9 +85,9 @@ manager: dansimp
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
-If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
+If you enable this policy setting, the Kerberos client searches the forests in this list, if it's unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
-If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+If you disable or don't configure this policy setting, the Kerberos client doesn't search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name isn't found, NTLM authentication might be used.
@@ -129,11 +129,11 @@ ADMX Info:
-This policy allows retrieving the cloud Kerberos ticket during the logon.
+This policy allows retrieving the cloud Kerberos ticket during the sign in.
-- If you disable (0) or do not configure this policy setting, the cloud Kerberos ticket is not retrieved during the logon.
+- If you disable (0) or don't configure this policy setting, the cloud Kerberos ticket isn't retrieved during the sign in.
-- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the logon.
+- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the sign in.
@@ -182,9 +182,9 @@ ADMX Info:
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
-If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
+If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
-If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
+If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition.
@@ -229,14 +229,14 @@ ADMX Info:
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
-If you enable this policy, you will be able to configure one of four states for each algorithm:
+If you enable this policy, you'll be able to configure one of four states for each algorithm:
-* **Default**: This sets the algorithm to the recommended state.
-* **Supported**: This enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-* **Audited**: This enables usage of the algorithm and reports an event (ID 205) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.
-* **Not Supported**: This disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* **Default**: This state sets the algorithm to the recommended state.
+* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
-If you disable or do not configure this policy, each algorithm will assume the **Default** state.
+If you disable or don't configure this policy, each algorithm will assume the **Default** state.
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
@@ -282,14 +282,14 @@ ADMX Info:
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
-Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+Warning: When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
> [!NOTE]
> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
-If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+If you disable or don't configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
@@ -333,9 +333,9 @@ ADMX Info:
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
-If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
+If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
-If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
+If you disable or don't configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server.
@@ -377,16 +377,16 @@ ADMX Info:
-This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
+This policy setting allows you to set the value returned to applications that request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
> [!NOTE]
-> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes.
@@ -428,9 +428,9 @@ ADMX Info:
-Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
+Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it can't resolve a UPN to a principal.
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
+Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 4dfe60a594..ec353dc9aa 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -77,7 +77,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
-List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+List of exceptions to the blocked website URLs (with wildcard support). This policy is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This is
-List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
+List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -185,7 +185,7 @@ Configures the default URL kiosk browsers to navigate on launch and restart.
-Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL.
+Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL.
@@ -292,7 +292,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back).
Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
-The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
+The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index 0165674799..abd1293e59 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LanmanWorkstation
-description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest logons to an SMB server.
+description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -56,13 +56,13 @@ manager: dansimp
-This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
+This policy setting determines if the SMB client will allow insecure guest sign ins to an SMB server.
-If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
+If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign ins.
-If you disable this policy setting, the SMB client will reject insecure guest logons.
+If you disable this policy setting, the SMB client will reject insecure guest sign ins.
-Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.
+Insecure guest sign ins are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign ins are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest sign ins by default. Since insecure guest sign ins are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign ins are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign ins and configuring file servers to require authenticated access.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 056c7c95d6..affd8a51ea 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -201,11 +201,11 @@ manager: dansimp
This policy setting prevents users from adding new Microsoft accounts on this computer.
-If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
-If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system.
-If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -220,7 +220,7 @@ GP Info:
The following list shows the supported values:
- 0 - disabled (users will be able to use Microsoft accounts with Windows).
-- 1 - enabled (users cannot add Microsoft accounts).
+- 1 - enabled (users can't add Microsoft accounts).
@@ -350,16 +350,16 @@ The following list shows the supported values:
Accounts: Limit local account use of blank passwords to console logon only
-This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
Default: Enabled.
> [!WARNING]
-> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
-If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
-This setting does not affect logons that use domain accounts.
-It is possible for applications that use remote interactive logons to bypass this setting.
+This setting doesn't affect sign ins that use domain accounts.
+It's possible for applications that use remote interactive sign ins to bypass this setting.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -372,8 +372,8 @@ GP Info:
Valid values:
-- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
-- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console
+- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard
@@ -496,9 +496,9 @@ GP Info:
-Devices: Allow undock without having to log on.
+Devices: Allow undock without having to sign in.
-This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
+This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer.
Default: Enabled.
> [!CAUTION]
@@ -548,7 +548,7 @@ This security setting determines who is allowed to format and eject removable NT
- Administrators
- Administrators and Interactive Users
-Default: This policy is not defined and only Administrators have this ability.
+Default: This policy isn't defined, and only Administrators have this ability.
@@ -595,7 +595,7 @@ Default on servers: Enabled.
Default on workstations: Disabled
>[!NOTE]
->This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
+>This setting doesn't affect the ability to add a local printer. This setting doesn't affect Administrators.
@@ -640,7 +640,7 @@ This security setting determines whether a CD-ROM is accessible to both local an
If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
-Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
+Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user.
@@ -679,7 +679,7 @@ GP Info:
-Interactive Logon:Display user information when the session is locked
+Interactive Logon: Display user information when the session is locked
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -695,7 +695,7 @@ GP Info:
Valid values:
- 1 - User display name, domain and user names
- 2 - User display name only
-- 3 - Do not display user information
+- 3 - Don't display user information
@@ -731,7 +731,7 @@ Valid values:
Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
-If this policy is enabled, the username will not be shown.
+If this policy is enabled, the username won't be shown.
If this policy is disabled, the username will be shown.
@@ -749,7 +749,7 @@ GP Info:
Valid values:
- 0 - disabled (username will be shown)
-- 1 - enabled (username will not be shown)
+- 1 - enabled (username won't be shown)
@@ -786,7 +786,7 @@ Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
-If this policy is enabled, the username will not be shown.
+If this policy is enabled, the username won't be shown.
If this policy is disabled, the username will be shown.
@@ -804,7 +804,7 @@ GP Info:
Valid values:
- 0 - disabled (username will be shown)
-- 1 - enabled (username will not be shown)
+- 1 - enabled (username won't be shown)
@@ -837,11 +837,11 @@ Valid values:
-Interactive logon: Do not require CTRL+ALT+DEL
+Interactive logon: Don't require CTRL+ALT+DEL
-This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in.
-If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to sign in. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users sign in ensures that users are communicating through a trusted path when entering their passwords.
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
@@ -860,7 +860,7 @@ GP Info:
Valid values:
- 0 - disabled
-- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
+- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in)
@@ -895,7 +895,7 @@ Valid values:
Interactive logon: Machine inactivity limit.
-Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
@@ -909,7 +909,7 @@ GP Info:
-Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
+Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it's set to zero (0), the setting is disabled.
@@ -942,9 +942,9 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time
-Interactive logon: Message text for users attempting to log on
+Interactive logon: Message text for users attempting to sign in
-This security setting specifies a text message that is displayed to users when they log on.
+This security setting specifies a text message that is displayed to users when they sign in.
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
@@ -989,9 +989,9 @@ GP Info:
-Interactive logon: Message title for users attempting to log on
+Interactive logon: Message title for users attempting to sign in
-This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in.
Default: No message.
@@ -1047,14 +1047,14 @@ The options are:
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
-If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed.
-If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation.
> [!NOTE]
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
-Default: This policy is not defined, which means that the system treats it as No action.
+Default: This policy isn't defined, which means that the system treats it as No action.
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
@@ -1098,7 +1098,7 @@ Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
-If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled.
@@ -1208,7 +1208,7 @@ GP Info:
Microsoft network client: Send unencrypted password to connect to third-party SMB servers
-If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication.
Sending unencrypted passwords is a security risk.
@@ -1263,7 +1263,7 @@ Administrators can use this policy to control when a computer suspends an inacti
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
-Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
@@ -1317,7 +1317,7 @@ This security setting determines whether packet signing is required by the SMB s
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
-If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled for member servers. Enabled for domain controllers.
@@ -1328,7 +1328,7 @@ Default: Disabled for member servers. Enabled for domain controllers.
> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
>
-> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+> Similarly, if client-side SMB signing is required, that client won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
@@ -1427,19 +1427,19 @@ GP Info:
-Network access: Do not allow anonymous enumeration of SAM accounts
+Network access: Don't allow anonymous enumeration of SAM accounts
-This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+This security setting determines what other permissions will be granted for anonymous connections to the computer.
-Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust.
-This security option allows additional restrictions to be placed on anonymous connections as follows:
+This security option allows more restrictions to be placed on anonymous connections as follows:
-Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
-Disabled: No additional restrictions. Rely on default permissions.
+Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No extra restrictions. Rely on default permissions.
Default on workstations: Enabled.
-Default on server:Enabled.
+Default on server: Enabled.
> [!IMPORTANT]
> This policy has no impact on domain controllers.
@@ -1481,11 +1481,11 @@ GP Info:
-Network access: Do not allow anonymous enumeration of SAM accounts and shares
+Network access: Don't allow anonymous enumeration of SAM accounts and shares
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
-Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
Default: Disabled.
@@ -1667,7 +1667,7 @@ Valid values:
Network security: Allow PKU2U authentication requests to this computer to use online identities.
-This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -1715,9 +1715,9 @@ Valid values:
-Network security: Do not store LAN Manager hash value on next password change
+Network security: Don't store LAN Manager hash value on next password change
-This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked.
Default on Windows Vista and above: Enabled
@@ -1825,8 +1825,8 @@ Network security: Minimum session security for NTLM SSP based (including secure
This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
-- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
-- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
+- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated.
Default:
@@ -1875,8 +1875,8 @@ Network security: Minimum session security for NTLM SSP based (including secure
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
-Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
-Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated.
Default:
@@ -1927,9 +1927,9 @@ This policy setting allows you to create an exception list of remote servers to
If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
-If you do not configure this policy setting, no exceptions will be applied.
+If you don't configure this policy setting, no exceptions will be applied.
-The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character.
@@ -1981,7 +1981,7 @@ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
This policy setting allows you to audit incoming NTLM traffic.
-If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+If you select "Disable", or don't configure this policy setting, the server won't log events for incoming NTLM traffic.
If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
@@ -2042,9 +2042,9 @@ Network security: Restrict NTLM: Incoming NTLM traffic
This policy setting allows you to deny or allow incoming NTLM traffic.
-If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+If you select "Allow all" or don't configure this policy setting, the server will allow all NTLM authentication requests.
-If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain sign in and display an NTLM blocked error, but allow local account sign in.
If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
@@ -2103,11 +2103,11 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
-If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+If you select "Allow all" or don't configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
-If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This logging allows you to identify those servers receiving NTLM authentication requests from the client computer.
-If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+If you select "Deny all," the client computer can't authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
@@ -2160,13 +2160,13 @@ GP Info:
-Shutdown: Allow system to be shut down without having to log on
+Shutdown: Allow system to be shut down without having to sign in
-This security setting determines whether a computer can be shut down without having to log on to Windows.
+This security setting determines whether a computer can be shut down without having to sign in to Windows.
When this policy is enabled, the Shut Down command is available on the Windows logon screen.
-When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
Default on workstations: Enabled.
Default on servers: Disabled.
@@ -2183,7 +2183,7 @@ GP Info:
Valid values:
- 0 - disabled
-- 1 - enabled (allow system to be shut down without having to log on)
+- 1 - enabled (allow system to be shut down without having to sign in)
@@ -2220,7 +2220,7 @@ Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
-Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.
+Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to ensure that the system pagefile is wiped clean when this system shuts down. This cleaning ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile.
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
@@ -2267,7 +2267,7 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
Disabled: (Default)
@@ -2437,7 +2437,7 @@ The options are:
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
@@ -2481,8 +2481,8 @@ User Account Control: Only elevate executable files that are signed and validate
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
The options are:
-- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
-- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run.
+- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -2525,7 +2525,7 @@ GP Info:
User Account Control: Only elevate UIAccess applications that are installed in secure locations
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations:
- .\Program Files\, including subfolders
- .\Windows\system32\
@@ -2535,7 +2535,7 @@ This policy setting controls whether applications that request to run with a Use
> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The options are:
-- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index d27b02b6fd..7c01fe7a99 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Messaging
-description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging.
+description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -56,7 +56,7 @@ manager: dansimp
-Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+Enables text message backup and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
@@ -70,7 +70,7 @@ ADMX Info:
The following list shows the supported values:
-- 0 - message sync is not allowed and cannot be changed by the user.
+- 0 - message sync isn't allowed and can't be changed by the user.
- 1 - message sync is allowed. The user can change this setting.
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index ad02deaa2f..02d6f53ac3 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -7,7 +7,6 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 1/31/2022
ms.reviewer:
manager: dansimp
---
@@ -36,7 +35,7 @@ manager: dansimp
MixedReality/FallbackDiagnostics
-Starting with this version, the HomePages policy enforces that users cannot change the Start pages settings.
+From this version, the HomePages policy enforces that users can't change the Start pages settings.
**Version 1703**
If you don't want to send traffic to Microsoft, use the \
-When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy.
+When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages you want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy.
> [!NOTE]
@@ -2763,7 +2763,7 @@ Supported values:
- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored.
-- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:
+- 1 - Only intranet sites open in Internet Explorer 11 automatically.
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.
Most restricted value: 0
@@ -2993,9 +2993,9 @@ ADMX Info:
Supported values:
-- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users cannot make changes.
+- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users can't make changes.
- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market.
-- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.
Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. +
Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace. **DeviceAccount/UserName** -
Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. +
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace. @@ -208,7 +208,7 @@ SurfaceHub **DeviceAccount/ErrorContext** -If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values: +If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values: | ErrorContext value | Stage where error occurred | Description and suggestions | | --- | --- | --- | @@ -242,7 +242,7 @@ The data type is integer. Supported operation is Get.
Added in Windows 10, version 1703. Node for the Skype for Business settings. **InBoxApps/SkypeForBusiness/DomainName** -
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online. +
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
The data type is string. Supported operation is Get and Replace. @@ -255,7 +255,7 @@ The data type is integer. Supported operation is Get.
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +
Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace. @@ -273,17 +273,17 @@ The data type is integer. Supported operation is Get.
Node for the Whiteboard app settings. **InBoxApps/Whiteboard/SharingDisabled** -
Invitations to collaborate from the Whiteboard app are not allowed. +
Invitations to collaborate from the Whiteboard app aren't allowed.
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Whiteboard/SigninDisabled** -
Sign-ins from the Whiteboard app are not allowed. +
Sign-ins from the Whiteboard app aren't allowed.
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Whiteboard/TelemeteryDisabled** -
Telemetry collection from the Whiteboard app is not allowed. +
Telemetry collection from the Whiteboard app isn't allowed.
The data type is boolean. Supported operation is Get and Replace. @@ -430,21 +430,21 @@ The data type is integer. Supported operation is Get.
The data type is boolean. Supported operation is Get and Replace. **Properties/ProxyServers** -
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). +
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. +
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
The data type is boolean. Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles**
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. +
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
The data type is boolean. Supported operation is Get and Replace. @@ -452,7 +452,7 @@ The data type is integer. Supported operation is Get.
Node for the Microsoft Operations Management Suite. **MOMAgent/WorkspaceID** -
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. +
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
The data type is string. Supported operation is Get and Replace.
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index ea7fed9759..da5516f990 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -26,11 +26,11 @@ Depending on the specific category of the settings that they control (OS or appl
- OS settings: Computer Configuration/Administrative Templates
- Application settings: User Configuration/Administrative Templates
-In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required.
+In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are applied to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), isn't required.
-An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
+An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
-Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\ The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
+ The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
- The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
+ The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
@@ -74,7 +74,7 @@ The following shows the Update configuration service provider in tree format.
**ApprovedUpdates/_Approved Update Guid_**
Specifies the update GUID.
- To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
+ To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
@@ -130,7 +130,7 @@ The following shows the Update configuration service provider in tree format.
Supported operation is Get.
**InstallableUpdates**
- The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
+ The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
Supported operation is Get.
@@ -193,7 +193,7 @@ Added in Windows 10, version 1803. Roll back latest Quality Update, if the machi
- Condition 2: Device must be in a Paused State
- Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
-If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+If the conditions aren't true, the device won't Roll Back the Latest Quality Update.
**Rollback/FeatureUpdate**
Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
@@ -206,7 +206,7 @@ Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machi
> [!NOTE]
> This only works for General Availability Channel Targeted devices.
-If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+If the conditions aren't true, the device won't Roll Back the Latest Feature Update.
**Rollback/QualityUpdateStatus**
Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation.
diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md
index dc580c2252..7dee32b407 100644
--- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md
+++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md
@@ -1,6 +1,6 @@
---
title: Using PowerShell scripting with the WMI Bridge Provider
-description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the WMI Bridge Provider.
+description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider.
ms.assetid: 238D45AD-3FD8-46F9-B7FB-6AEE42BE4C08
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 06/26/2017
# Using PowerShell scripting with the WMI Bridge Provider
-This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
+This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
## Configuring per-device policy settings
@@ -89,7 +89,7 @@ class MDM_Policy_User_Config01_Authentication02
-If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which is not supported in native PowerShell cmdlets.
+If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets.
> **Note** All commands must executed under local system.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 4f5fc988ac..07dbd492dc 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -20,20 +20,20 @@ The VPNv2 configuration service provider allows the mobile device management (MD
Here are the requirements for this CSP:
- VPN configuration commands must be wrapped in an Atomic block in SyncML.
-- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
+- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
- Instead of changing individual properties, follow these steps to make any changes:
- Send a Delete command for the ProfileName to delete the entire profile.
- Send the entire profile again with new values wrapped in an Atomic block.
- In certain conditions you can change some properties directly, but we do not recommend it.
+ In certain conditions you can change some properties directly, but we don't recommend it.
The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- `C:\Windows\schemas\EAPHost`
- `C:\Windows\schemas\EAPMethods`
-The following shows the VPNv2 configuration service provider in tree format.
+The following example shows the VPNv2 configuration service provider in tree format.
```
./Vendor/MSFT
@@ -332,7 +332,7 @@ Supported operations include Get, Add, and Delete.
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId
-A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.
Supported operations include Get, Add, Replace, and Delete.
@@ -340,35 +340,35 @@ Supported operations include Get, Add, Replace, and Delete.
App Node under the Row Id.
**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id**
-App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore cannot be specified in the get only App/Type field
+App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore can't be specified in the get only App/Type field
**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type**
-Returns the type of **App/Id**. This value can be either of the following:
+Returns the type of **App/Id**. This value can be either of the following values:
-- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
-- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
+- PackageFamilyName - When this value is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
+- FilePath - When this value is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
Value type is chr. Supported operation is Get.
**VPNv2/**ProfileName**/RouteList/**
-Optional node. List of routes to be added to the routing table for the VPN interface. This is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
+Optional node. List of routes to be added to the routing table for the VPN interface. This information is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length.
-Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and do not need this information in the VPN Profile. Please check with your VPN server administrator to determine whether you need this information in the VPN profile.
+Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this route during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile.
**VPNv2/**ProfileName**/RouteList/**routeRowId
-A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0.
+A sequential integer identifier for the RouteList. This value is required if you're adding routes. Sequencing must start at 0.
Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address**
-Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix.
+Subnet address in IPv4/v6 address format which, along with the prefix, will be used to determine the destination prefix to send via the VPN Interface. This subnet address is the IP address part of the destination prefix.
Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0`
**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize**
-The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface.
+The subnet prefix size part of the destination prefix for the route entry. This subnet prefix, along with the address, will be used to determine the destination prefix to route through the VPN Interface.
Value type is int. Supported operations include Get, Add, Replace, and Delete.
@@ -388,7 +388,7 @@ Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList**
Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
-The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
+The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before name resolution queries are issued, the DNS client consults the NRPT to determine if any extra flags must be set in the query. After the response is received, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
> [!NOTE]
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
@@ -407,9 +407,9 @@ Used to indicate the namespace to which the policy applies. When a Name query is
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
-Returns the namespace type. This value can be one of the following:
+Returns the namespace type. This value can be one of the following values:
-- FQDN - If the DomainName was not prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
+- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
- Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains.
Value type is chr. Supported operation is Get.
@@ -420,7 +420,7 @@ List of comma-separated DNS Server IP addresses to use for the namespace.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
-Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.
+Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet.
> [!NOTE]
> Currently only one web proxy server is supported.
@@ -430,7 +430,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger**
Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN.
-If set to False, this DomainName rule will not trigger the VPN.
+If set to False, this DomainName rule won't trigger the VPN.
If set to True, this DomainName rule will trigger the VPN
@@ -439,7 +439,7 @@ By default, this value is false.
Value type is bool.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent**
-Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values:
+Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values:
- False (default) - This DomainName rule will only be applied when VPN is connected.
- True - This DomainName rule will always be present and applied.
@@ -452,18 +452,18 @@ An optional node that specifies a list of rules. Only traffic that matches these
> [!NOTE]
> Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
-When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
+When multiple rules are being added, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId
A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App**
-Per app VPN rule. This will allow only the apps specified to be allowed over the VPN interface. Value type is chr.
+Per app VPN rule. This property will allow only the apps specified to be allowed over the VPN interface. Value type is chr.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id**
App identity for the app-based traffic filter.
-The value for this node can be one of the following:
+The value for this node can be one of the following values:
- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
@@ -511,17 +511,17 @@ A list of comma-separated values specifying remote IP address ranges to allow.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType**
-Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following:
+Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following values:
- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
-This is only applicable for App ID-based Traffic Filter rules.
+This property is only applicable for App ID-based Traffic Filter rules.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction**
-Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following:
+Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following values:
- Outbound - The rule applies to all outbound traffic
- Inbound - The rule applies to all inbound traffic
@@ -531,27 +531,27 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/EdpModeId**
-Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
-Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
+Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/RememberCredentials**
-Boolean value (true or false) for caching credentials. Default is false, which means do not cache credentials. If set to true, credentials are cached whenever possible.
+Boolean value (true or false) for caching credentials. Default is false, which means don't cache credentials. If set to true, credentials are cached whenever possible.
Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/AlwaysOn**
-An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
+An optional flag to enable Always On mode. This flag will automatically connect the VPN at sign in and will stay connected until the user manually disconnects.
> [!NOTE]
> Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
-Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
+Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
+Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
Value: AutoTriggerDisabledProfilesList
Type: REG_MULTI_SZ
@@ -569,13 +569,13 @@ Device tunnel profile.
Valid values:
-- False (default) - this is not a device tunnel profile.
-- True - this is a device tunnel profile.
+- False (default) - this profile isn't a device tunnel profile.
+- True - this profile is a device tunnel profile.
When the DeviceTunnel profile is turned on, it does the following things:
- First, it automatically becomes an "always on" profile.
-- Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+- Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
- Third, no other device tunnel profile maybe is present on the same machine.-
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
@@ -587,7 +587,7 @@ Allows registration of the connection's address in DNS.
Valid values:
-- False = Do not register the connection's address in DNS (default).
+- False = Don't register the connection's address in DNS (default).
- True = Register the connection's addresses in DNS.
**VPNv2/**ProfileName**/DnsSuffix**
@@ -599,7 +599,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
Reserved for future use.
**VPNv2/**ProfileName**/TrustedNetworkDetection**
-Optional. Comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+Optional. Comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -657,7 +657,7 @@ Added in Windows 10, version 1607. Enables the Device Compliance flow from the
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DeviceCompliance/Sso**
-Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance.
+Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication if there's Device Compliance.
**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled**
Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.
@@ -683,7 +683,7 @@ Required for plug-in profiles. Semicolon-separated list of servers in URL, hostn
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration**
-Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults.
+Optional. This property is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations and defaults.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -708,7 +708,7 @@ You can make a list of server by making a list of server names (with optional fr
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType**
-Optional for native profiles. Type of routing policy. This value can be one of the following:
+Optional for native profiles. Type of routing policy. This value can be one of the following values:
- SplitTunnel - Traffic can go over any interface as determined by the networking stack.
- ForceTunnel - All IP traffic must go over the VPN interface.
@@ -716,7 +716,7 @@ Optional for native profiles. Type of routing policy. This value can be one of t
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType**
-Required for native profiles. Type of tunneling protocol used. This value can be one of the following:
+Required for native profiles. Type of tunneling protocol used. This value can be one of the following values:
- PPTP
- L2TP
@@ -726,7 +726,7 @@ Required for native profiles. Type of tunneling protocol used. This value can be
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
> [!NOTE]
-> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable.
+> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable.
**VPNv2/**ProfileName**/NativeProfile/Authentication**
Required node for native profile. It contains authentication information for the native VPN profile.
@@ -735,14 +735,14 @@ Required node for native profile. It contains authentication information for the
This value can be one of the following:
- EAP
-- MSChapv2 (This is not supported for IKEv2)
+- MSChapv2 (This method isn't supported for IKEv2)
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod**
This is only supported in IKEv2.
-This value can be one of the following:
+This value can be one of the following values:
- Certificate
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index 026dcfb003..fca8b3674b 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -54,12 +54,12 @@ If no value is specified, the registry location will default to ` Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
- Supported operations is Get.
+ Supported operation is Get.
**DeviceTagging/Group**
Added in Windows 10, version 1709. Device group identifiers.
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index e489b9b6cd..febc8bed02 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -15,7 +15,7 @@ manager: dansimp
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
-The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
+The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
```
./Device/Vendor/MSFT
WindowsDefenderApplicationGuard
@@ -139,7 +139,7 @@ This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or W
The following list shows the supported values:
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
-- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
+- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
> [!NOTE]
> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
@@ -160,7 +160,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
-- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
+- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
@@ -181,8 +181,8 @@ This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or W
If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
The following list shows the supported values:
-- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
-- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
+- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0).
+- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container.
> [!WARNING]
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
@@ -196,14 +196,14 @@ ADMX Info:
**Settings/SaveFilesToHost**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container.
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
-- 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0).
+- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
@@ -226,7 +226,7 @@ If you enable this setting, certificates with a thumbprint matching the ones spe
Here's an example:
b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
-If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
+If you disable or don’t configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.
ADMX Info:
@@ -251,7 +251,7 @@ If you enable this policy setting, applications inside Microsoft Defender Applic
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
The following list shows the supported values:
-- 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0).
+- 0 (default) - Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
> [!IMPORTANT]
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 20530b3267..0789764ab1 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -19,7 +19,7 @@ ms.date: 08/15/2018
The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices.
-The following shows the WindowsLicensing configuration service provider in tree format.
+The following example shows the WindowsLicensing configuration service provider in tree format.
```console
./Vendor/MSFT
@@ -41,7 +41,7 @@ WindowsLicensing
--------Status (Added in Windows 10, version 1809)
```
**./Device/Vendor/MSFT/WindowsLicensing**
-This is the root node for the WindowsLicensing configuration service provider.
+This node is the root node for the WindowsLicensing configuration service provider.
The supported operation is Get.
@@ -70,7 +70,7 @@ If a product key is entered in a provisioning package and the user begins instal
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
-This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key does not require a reboot and is a silent process for the user.
+This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key doesn't require a reboot and is a silent process for the user.
> [!IMPORTANT]
> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
@@ -117,7 +117,7 @@ The supported operation is Get.
Provides a license for an edition upgrade of Windows 10 devices.
> [!NOTE]
-> This upgrade process does not require a system restart.
+> This upgrade process doesn't require a system restart.
The date type is XML.
@@ -152,7 +152,7 @@ The data type is a chr.
The supported operation is Exec.
**ChangeProductKey**
-Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot.
+Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Doesn't reboot.
The data type is a chr.
@@ -191,7 +191,7 @@ Supported values:
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
**SMode/SwitchFromSMode**
-Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
+Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index fc6a7c7176..62808bc9bb 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,6 +1,6 @@
---
title: WiredNetwork CSP
-description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP. Learn how it works.
+description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -16,9 +16,9 @@ manager: dansimp
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809.
+The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809.
-The following shows the WiredNetwork configuration service provider in tree format.
+The following example shows the WiredNetwork configuration service provider in tree format.
```
./User/Vendor/MSFT
WiredNetwork
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 3fa7f1b6c8..777b9fa6ec 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -18,7 +18,7 @@ This article describes how to configure the actions that Windows takes when a sy
- Write an event to the System log.
-- Alert administrators (if you have set up administrative alerts).
+- Alert administrators (if you've set up administrative alerts).
- Put system memory into a file that advanced users can use for debugging.
@@ -92,9 +92,9 @@ Select one of the following type of information that you want Windows to record
#### (none)
-The option does not record any information in a memory dump file.
+The option doesn't record any information in a memory dump file.
-To specify that you do not want Windows to record information in a memory dump file, run the following command or modify the registry value:
+To specify that you don't want Windows to record information in a memory dump file, run the following command or modify the registry value:
- ```cmd
wmic recoveros set DebugInfoType = 0
@@ -123,7 +123,7 @@ To specify that you want to use a folder as your Small Dump Directory, run the f
#### Kernel Memory Dump
-The option records only kernel memory. This option stores more information than a small memory dump file, but it takes less time to complete than a complete memory dump file. The file is stored in %SystemRoot%\Memory.dmp by default, and any previous kernel or complete memory dump files are overwritten if the **Overwrite any existing file** check box is selected. If you set this option, you must have a sufficiently large paging file on the boot volume. The required size depends on the amount of RAM in your computer However, the maximum amount of space that must be available for a kernel memory dump on a 32-bit system is 2 GB plus 16 MB. On a 64-bit system, the maximum amount of space that must be available for a kernel memory dump is the size of the RAM plus 128 MB. The following table provides guidelines for the size of the paging file:
+The option records only kernel memory. This option stores more information than a small memory dump file, but it takes less time to complete than a complete memory dump file. The file is stored in %SystemRoot%\Memory.dmp by default, and any previous kernel or complete memory dump files are overwritten if the **Overwrite any existing file** check box is selected. If you set this option, you must have a sufficiently large paging file on the boot volume. The required size depends on the amount of RAM in your computer. However, the maximum amount of space that must be available for a kernel memory dump on a 32-bit system is 2 GB plus 16 MB. On a 64-bit system, the maximum amount of space that must be available for a kernel memory dump is the size of the RAM plus 128 MB. The following table provides guidelines for the size of the paging file:
|RAM size |Paging file should be no smaller than|
|-------|-----------------|
@@ -146,7 +146,7 @@ To specify that you want to use a file as your memory dump file, run the followi
- Set the **DumpFile** Expandable String Value to \ Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.|
+|0xC1800118|WSUS has downloaded content that it can't use due to a missing decryption key.|See [Steps to resolve error 0xC1800118](/archive/blogs/wsus/resolving-error-0xc1800118) for information.|
+|0xC1900200|Setup.exe has detected that the machine doesn't meet the minimum system requirements.|Ensure the system you're trying to upgrade meets the minimum system requirements. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for information.|
+|0x80090011|A device driver error occurred during user data migration.|Contact your hardware vendor and get all the device drivers updated. It's recommended to have an active internet connection during upgrade process. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.|
|0xC7700112|Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.|This issue is resolved in the latest version of Upgrade Assistant. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.|
|0x80190001|An unexpected error was encountered while attempting to download files required for upgrade.|To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/software-download/windows10).|
-|0x80246007|The update was not downloaded successfully.|Attempt other methods of upgrading the operating system. Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/software-download/windows10). Attempt to upgrade using .ISO or USB. **Note:** Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).|
+|0x80246007|The update wasn't downloaded successfully.|Attempt other methods of upgrading the operating system. Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/software-download/windows10). Attempt to upgrade using .ISO or USB. **Note:** Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).|
|0x80244018|Your machine is connected through a proxy server.|Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).|
-|0xC1900201|The system did not pass the minimum requirements to install the update.|Contact the hardware vendor to get the latest updates.|
+|0xC1900201|The system didn't pass the minimum requirements to install the update.|Contact the hardware vendor to get the latest updates.|
|0x80240017|The upgrade is unavailable for this edition of Windows.|Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.|
-|0x80070020|The existing process cannot access the file because it is being used by another process.|Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).|
-|0x80070522|The user doesn’t have required privilege or credentials to upgrade.|Ensure that you have signed in as a local administrator or have local administrator privileges.|
-|0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device does not resolve the issue, then use the Disk Cleanup utility and clean up the temporary files as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).|
-|0xC1900209|The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information. You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.|
+|0x80070020|The existing process can't access the file because it's being used by another process.|Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).|
+|0x80070522|The user doesn’t have required privilege or credentials to upgrade.|Ensure that you've signed in as a local administrator or have local administrator privileges.|
+|0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device doesn't resolve the issue, then use the Disk Cleanup utility to clean up the temporary files and the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68).|
+|0xC1900209|The user has chosen to cancel because the system doesn't pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information. You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.|
|0x8007002|This error is specific to upgrades using System Center 2012 Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760) The error 80072efe means that the connection with the server was terminated abnormally. To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.|
-|0x80240FFF|Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: For detailed information on how to run these steps check out How to delete upgrades in WSUS.|
-|0x8007007E|Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix. Stop the Windows Update service. Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore. Restart the Windows Update service.|
+|0x80240FFF|Occurs when update synchronization fails. It can occur when you're using Windows Server Update Services on its own or when it's integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: For detailed information on how to run these steps check out How to delete upgrades in WSUS.|
+|0x8007007E|Occurs when update synchronization fails because you don't have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you're using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix. Stop the Windows Update service. Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore. Restart the Windows Update service.|
## Other error codes
| Error Codes | Cause | Mitigation |
| --- | --- | --- |
|0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
-|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
+|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt or if there's an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Redownload the ISO/Media and reattempt the upgrade Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide. Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).|
@@ -102,7 +102,7 @@ See the following general troubleshooting procedures associated with a result co
|0xC1900101 - 0x4001E|Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.|This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.|
|0x80070005 - 0x4000D|The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.|[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access denied.|
|0x80070004 - 0x50012|Windows Setup failed to open a file.|[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access problems.|
-|0xC190020e
+You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. For more information, see the following video:
>[!video https://www.youtube.com/embed/xN7tOfgNKag]
@@ -144,7 +144,7 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
## Advanced troubleshooting steps
>[!NOTE]
->Advanced troubleshooting of crash dumps can be very challenging if you are not experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below.
+>Advanced troubleshooting of crash dumps can be very challenging if you aren't experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below.
### Advanced debugging references
@@ -153,25 +153,25 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
### Debugging steps
-1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. See the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump) for more information.
+1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. For more information, see the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump).
2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer.
3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk).
-4. Start the install and choose **Debugging Tools for Windows**. This installs the WinDbg tool.
+4. Start the install and choose **Debugging Tools for Windows**. The WinDbg tool is installed.
5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
- 1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
+ 1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This method is the recommended one.
- 1. If the computer is not connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path).
+ 1. If the computer isn't connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path).
6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below.
:::image type="content" alt-text="WinDbg img." source="images/windbg.png" lightbox="images/windbg.png":::
-7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page.
+7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. The command !analyze -v is entered in the prompt at the bottom of the page.
8. A detailed bugcheck analysis will appear. See the example below.
@@ -219,7 +219,7 @@ There are many possible causes of a bugcheck and each case is unique. In the exa
The problem here is with **mpssvc** which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies.
-Additional examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article.
+More examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article.
## Video resources
@@ -247,7 +247,7 @@ Use the following guidelines when you use Driver Verifier:
- Enable concurrent verification on groups of 10–20 drivers.
-- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode.
+- Additionally, if the computer can't boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This solution is because the tool can't run in Safe mode.
For more information, see [Driver Verifier](/windows-hardware/drivers/devtest/driver-verifier).
@@ -263,16 +263,16 @@ VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
Stop error code 0
DRIVER_IRQL_NOT_LESS_OR_EQUAL
Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys.
PAGE_FAULT_IN_NONPAGED_AREA
Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup.
SYSTEM_SERVICE_EXCEPTION
Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files).
-NTFS_FILE_SYSTEM
Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem.
-KMODE_EXCEPTION_NOT_HANDLED
Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.
If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:
Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option.
-DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump.
-USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
Event ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
+NTFS_FILE_SYSTEM
Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this step, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button. We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem.
+KMODE_EXCEPTION_NOT_HANDLED
Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.
If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To disable the driver, follow these steps:
Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option.
+DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that doesn't complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for other error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump.
+USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
Event ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User mode health monitoring has detected that the system isn't being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
## Debugging examples
### Example 1
-This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again.
+This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this driver is Microsoft driver it can't be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again.
```console
2: kd> !analyze -v
@@ -343,7 +343,7 @@ ANALYSIS_SESSION_HOST: SHENDRIX-DEV0
ANALYSIS_SESSION_TIME: 01-17-2019 11:06:05.0653
ANALYSIS_VERSION: 10.0.18248.1001 amd64fre
TRAP_FRAME: ffffa884c0c3f6b0 -- (.trap 0xffffa884c0c3f6b0)
-NOTE: The trap frame does not contain all registers.
+NOTE: The trap frame doesn't contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff807ad018bf0 rbx=0000000000000000 rcx=000000000011090a
rdx=fffff807ad018c10 rsi=0000000000000000 rdi=0000000000000000
@@ -442,7 +442,7 @@ In this example, a non-Microsoft driver caused page fault, so we don’t have sy
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
-Invalid system memory was referenced. This cannot be protected by try-except.
+Invalid system memory was referenced. This can't be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: 8ba10000, memory referenced.
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index fd6540824c..56573160e6 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -25,7 +25,7 @@ You might come across connectivity errors on the application end or timeout erro
When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture that could indicate a network issue.
-* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released.
+* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the four-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this period is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released.
* TCP reset is an abrupt closure of the session; it causes the resources allocated to the connection to be immediately released and all other information about the connection is erased.
@@ -33,13 +33,13 @@ When you suspect that the issue is on the network, you collect a network trace.
A network trace on the source and the destination helps you to determine the flow of the traffic and see at what point the failure is observed.
-The following sections describe some of the scenarios when you will see a RESET.
+The following sections describe some of the scenarios when you'll see a RESET.
## Packet drops
-When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up retransmitting the data and when there is no response received, it would end the session by sending an ACK RESET (this means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed).
+When one TCP peer is sending out TCP packets for which there's no response received from the other end, the TCP peer would end up retransmitting the data and when there's no response received, it would end the session by sending an ACK RESET (thisACK RESET means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed).
-The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets.
+The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This scenario denotes that the network device between the source and destination is dropping the packets.
If the initial TCP handshake is failing because of packet drops, then you would see that the TCP SYN packet is retransmitted only three times.
@@ -47,7 +47,7 @@ Source side connecting on port 445:

-Destination side: applying the same filter, you do not see any packets.
+Destination side: applying the same filter, you don't see any packets.

@@ -59,22 +59,22 @@ For the rest of the data, TCP will retransmit the packets five times.
**Destination 192.168.1.2 side trace:**
-You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network.
+You wouldn't see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network.
-If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop.
+If you're seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you're trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there's no response, then there could be a wfp drop.
## Incorrect parameter in the TCP header
-You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source.
+You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you'll be able to notice if there's a change in the packets itself or if any new packets are reaching the destination on behalf of the source.
In this case, you'll again need help from the network team to identify any device that's modifying packets or replaying packets to the destination. The most common ones are RiverBed devices or WAN accelerators.
## Application side reset
-When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset.
+When you've identified that the resets aren't due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you've narrowed it down to application level reset.
-The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received.
+The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This setting would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This stage is when the application that received the packet didn't like something it received.
In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source.
@@ -86,14 +86,14 @@ In the below screenshots, you see that the packets seen on the source and the de

-You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.
+You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason doesn't want to accept the packet, it would send an ACK+RST packet.

The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
>[!Note]
->The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet
+>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You wouldn't see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you've the UDP packet sent out on a port and the destination does not have port listed, you'll see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet
```
@@ -103,7 +103,7 @@ The application that's causing the reset (identified by port numbers) should be
```
-During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine.
+During the troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but doesn't respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine.
```
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
@@ -113,6 +113,6 @@ You can then review the Security event logs to see for a packet drop on a partic

-Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.
+Now, run the command `netsh wfp show state`, this execution will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.

diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index 7bbb4f70f3..aed2257b4d 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -15,10 +15,10 @@ ms.collection: highpri
# Collect data using Network Monitor
-In this article, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
+In this article, you'll learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
> [!NOTE]
-> Network Monitor is the archived protocol analyzer and is no longer under development. Also, Microsoft Message Analyzer (MMA) was retired and its download packages were removed from microsoft.com sites on November 25, 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, consider using another, non-Microsoft network protocol analyzer tool. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
+> Network Monitor is the archived protocol analyzer and is no longer under development. Also, Microsoft Message Analyzer (MMA) was retired and its download packages were removed from microsoft.com sites on November 25, 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, consider using another, non-Microsoft network protocol analyzer tool. For more information, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
@@ -36,13 +36,13 @@ When the driver gets hooked to the network interface card (NIC) during installat

-3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
+3. Reproduce the issue, and you'll see that Network Monitor grabs the packets on the wire.

4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
-The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic.
+The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you're facing. So you'll need to filter the network capture to see only the related traffic.
**Commonly used filters**
@@ -58,7 +58,7 @@ The saved file has captured all the traffic that is flowing to and from the sele
>[!TIP]
>If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**.
-Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis.
+Network traces that are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis.
## More information
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index 638044c3aa..938136edad 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -19,16 +19,16 @@ TCP and UDP protocols work based on port numbers used for establishing connectio
There are two types of ports:
-- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection.
+- *Ephemeral ports*, which are dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection.
- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers.
-When connecting to an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443.
+When a connection is being established with an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443.
-In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*.
+In a scenario where the same browser is creating many connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you'll notice that the connections will start to fail and one high possibility for this failure would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*.
## Default dynamic port range for TCP/IP
-To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**.
+To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This increase is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**.
You can view the dynamic port range on a computer by using the following netsh commands:
@@ -51,13 +51,13 @@ The start port is number, and the total number of ports is range. The following
- `netsh int ipv6 set dynamicport tcp start=10000 num=1000`
- `netsh int ipv6 set dynamicport udp start=10000 num=1000`
-These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000.
+These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) can't exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This usage pattern results in a start port of 1025 and an end port of 5000.
-Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections.
+Specifically, about outbound connections as incoming connections won't require an Ephemeral port for accepting connections.
-Since outbound connections start to fail, you will see a lot of the below behaviors:
+Since outbound connections start to fail, you'll see many instances of the below behaviors:
-- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
+- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign in will require you to contact the DC for authentication, which is again an outbound connection. If you've cache credentials set, then domain sign-in might still work.
:::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png":::
@@ -79,9 +79,9 @@ Reboot of the server will resolve the issue temporarily, but you would see all t
If you suspect that the machine is in a state of port exhaustion:
-1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step.
+1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these options, go to the next step.
-2. Open event viewer and under the system logs, look for the events which clearly indicate the current state:
+2. Open event viewer and under the system logs, look for the events that clearly indicate the current state:
1. **Event ID 4227**
@@ -95,12 +95,12 @@ If you suspect that the machine is in a state of port exhaustion:

- After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
+ After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process won't be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
- You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
+ You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state doesn't necessarily indicate port exhaustion.
> [!Note]
- > Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
+ > Having huge connections in TIME_WAIT state doesn't always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
>
> Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
>
@@ -112,7 +112,7 @@ If you suspect that the machine is in a state of port exhaustion:
Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl
```
-5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion.
+5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries that say **STATUS_TOO_MANY_ADDRESSES**. If you don't find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion.
## Troubleshoot Port exhaustion
@@ -120,30 +120,30 @@ The key is to identify which process or application is using all the ports. Belo
### Method 1
-Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process:
+Start by looking at the netstat output. If you're using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID that has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process:
```powershell
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending
```
-Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports.
+Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level, ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts, which allows you to identify which process is consuming all of the ports.
For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet.
### Method 2
-If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager:
+If method 1 doesn't help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager:
1. Add a column called “handles” under details/processes.
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.

-3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
+3. If any other process than these processes has a higher number, stop that process and then try to sign in using domain credentials and see if it succeeds.
### Method 3
-If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue.
+If Task Manager didn't help you identify the process, then use Process Explorer to investigate the issue.
Steps to use Process explorer:
@@ -160,9 +160,9 @@ Steps to use Process explorer:
:::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png":::
-10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
+10. Some are normal, but large numbers of them aren't (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you've further proven that the app is the cause. Contact the vendor of that app.
-Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles.
+Finally, if the above methods didn't help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles.
As a workaround, rebooting the computer will get it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
@@ -170,10 +170,10 @@ As a workaround, rebooting the computer will get it back in normal state and wou
netsh int ipv4 set dynamicport tcp start=10000 num=1000
```
-This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535.
+This command will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) can't exceed 65535.
>[!NOTE]
->Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports.
+>Note that increasing the dynamic port range is not a permanent solution but only temporary. You'll need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why it's consuming such high number of ports.
For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend.
@@ -196,5 +196,5 @@ goto loop
## Useful links
- [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
-- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11)
+- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script that will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11)
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 6601c0c57d..b5ef8d16f6 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -19,7 +19,7 @@ You might encounter an **RPC server unavailable** error when connecting to Windo

-This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’.
+This message is a commonly encountered error message in the networking world and one can lose hope fast without trying to understand much, as to what is happening ‘under the hood’.
Before getting in to troubleshooting the *RPC server unavailable- error, let’s first understand basics about the error. There are a few important terms to understand:
@@ -29,7 +29,7 @@ Before getting in to troubleshooting the *RPC server unavailable- error
- UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many.
- Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you.
- Port – the communication endpoints for the client and server applications.
-- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part.
+- Stub data – the information given to functions and data exchanged between the client and server. This data is the payload, the important part.
>[!Note]
> A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM.
@@ -47,10 +47,10 @@ Remote Procedure Call (RPC) dynamic port allocation is used by server applicatio
Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner.
-As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements).
+As a server port, choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements).
The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers.
-Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass.
+Some firewalls also allow for UUID filtering where it learns from an RPC Endpoint Mapper request for an RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass.
With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry:
@@ -58,11 +58,11 @@ With Registry Editor, you can modify the following parameters for RPC. The RPC P
**Ports REG_MULTI_SZ**
-- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid.
+- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string can't be interpreted, the RPC runtime treats the entire configuration as invalid.
**PortsInternetAvailable REG_SZ Y or N (not case-sensitive)**
-- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.
+- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that aren't Internet-available.
**UseInternetPorts REG_SZ ) Y or N (not case-sensitive)**
@@ -72,7 +72,7 @@ With Registry Editor, you can modify the following parameters for RPC. The RPC P
**Example:**
-In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.
+In this example, ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This example isn't a recommendation of a minimum number of ports needed for any particular system.
1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
@@ -108,13 +108,13 @@ If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](ht
### PortQuery
-The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command:
+The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you're able to make a connection by running the command:
```console
Portqry.exe -n
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
-|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 2db0fd7296..117d670e45 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -147,6 +147,6 @@ sections:
answer: |
Use the following resources for additional information about Windows 10.
- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
+ - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 0344fbd385..3683bb0214 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -51,7 +51,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op
|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) |
## Validate Insider Preview builds
-Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
+Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits:
- Get a head start on your Windows validation process.
- Identify issues sooner to accelerate your Windows deployment.
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 5bf7d676b6..cb16c3b261 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -32,7 +32,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. |
| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
-| [Assign devices to servicing branches for Windows client updates](/waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
+| [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
@@ -40,7 +40,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
-| [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) | Explains how the Windows Insider Program for Business works and how to become an insider. |
+| [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows.
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index 2239c8a19b..e9ce2f2e27 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -31,7 +31,6 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
-
-Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 3f582da318..e23f09f53f 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -117,9 +117,7 @@ To check and repair errors on the system drive:
The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating.
-For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu).
-
-For Windows 10, the tool is [here](https://aka.ms/wudiag).
+[Download the tool for Windows 10](https://aka.ms/wudiag).
To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems.
@@ -204,7 +202,7 @@ To remove programs, use the same steps as are provided [above](#uninstall-non-mi
Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed.
-Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](/surface/manage-surface-driver-and-firmware-updates).
To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions.
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 3ae929c837..d2bec5e3f1 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -34,7 +34,7 @@ A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1
- Event logs: $Windows.~bt\Sources\Rollback\*.evtx
- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
-The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).
+The device install log is helpful if rollback occurs during the sysprep operation (extend code 0x30018).
To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
@@ -43,57 +43,57 @@ See the following general troubleshooting procedures associated with a result co
| Code | Mitigation | Cause |
| :--- | :--- | :--- |
-| 0xC1900101 - 0x20004 | Uninstall antivirus applications.
Remove all unused SATA devices.
Remove all unused devices and drivers.
Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
This is generally caused by out-of-date drivers. |
-| 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
This is generally caused by out-of-date drivers |
-| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).
Update or uninstall the problem drivers. | A driver has caused an illegal operation.
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
This can also be caused by a hardware failure. |
+| 0xC1900101 - 0x20004 | Uninstall antivirus applications.
Remove all unused SATA devices.
Remove all unused devices and drivers.
Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
This is caused by out-of-date drivers. |
+| 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
This is caused by out-of-date drivers |
+| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).
Update or uninstall the problem drivers. | A driver has caused an illegal operation.
Windows wasn't able to migrate the driver, resulting in a rollback of the operating system.
This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
This can also be caused by a hardware failure. |
| 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
| 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
This can occur due to a problem with a display driver. |
-| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Cannot recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. |
-| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
+| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example isn't representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Can't recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
Typically, there's a dump file for the crash to analyze. If you aren't equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. |
+| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade can't complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you can't uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
## 0x800xxxxx
-Result codes that start with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+Result codes that start with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and aren't unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
| Code | Mitigation | Cause |
| :--- | :--- | :--- |
| 80040005 - 0x20007 | This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. | An unspecified error occurred with a driver during the SafeOS phase. |
-| 0x80073BC3 - 0x20009
0x80070002 - 0x20009
0x80073B92 - 0x20009 | These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. | The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. |
+| 0x80073BC3 - 0x20009
0x80070002 - 0x20009
0x80073B92 - 0x20009 | These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. | The requested system device can't be found, there's a sharing violation, or there are multiple devices matching the identification criteria. |
| 800704B8 - 0x3001A | Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). | An extended error has occurred during the first boot phase. |
-| 8007042B - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object. | The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This issue can occur due to file system, application, or driver issues. |
-| 8007001F - 0x3000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
**Note**: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.| The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. |
-| 8007001F - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device. | General failure, a device attached to the system is not functioning. |
+| 8007042B - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that isn't able to be migrated. Disconnect, update, remove, or replace the device or object. | The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This issue can occur due to file system, application, or driver issues. |
+| 8007001F - 0x3000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
**Note**: If a previous upgrade didn't complete, invalid profiles might exist in the **Windows.old\\Users** directory.
To repair this error, ensure that deleted accounts aren't still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.| The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. |
+| 8007001F - 0x4000D | [Analyze log files](log-files.md#analyze-log-files) in order to determine the device that isn't functioning properly. Disconnect, update, or replace the device. | General failure, a device attached to the system isn't functioning. |
| 8007042B - 0x4001E | This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. | The installation failed during the second boot phase while attempting the PRE_OOBE operation. |
## Other result codes
|Error code|Cause|Mitigation|
|--- |--- |--- |
-|0xC1800118|WSUS has downloaded content that it cannot use due to a missing decryption key.|See [Steps to resolve error 0xC1800118](/archive/blogs/wsus/resolving-error-0xc1800118) for information.|
-|0xC1900200|Setup.exe has detected that the machine does not meet the minimum system requirements.|Ensure the system you are trying to upgrade meets the minimum system requirements. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for information.|
-|0x80090011|A device driver error occurred during user data migration.|Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process.
Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.|
|0xC1900200 - 0x20008|The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.
0x80070070 - 0x50011
0x80070070 - 0x50012
0x80070070 - 0x60000|These errors indicate the computer does not have enough free space available to install the upgrade.|To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
0x80070070 - 0x50011
0x80070070 - 0x50012
0x80070070 - 0x60000|These errors indicate the computer doesn't have enough free space available to install the upgrade.|To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there isn't enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.