diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c8364e901f..02259ae42b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6438,6 +6438,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### EAP policies + +
+
+ EAP/AllowTLS1_3 +
+
+ ### Education policies
@@ -6628,6 +6636,20 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### HumanPresence policies + +
+
+ HumanPresence/ForceInstantLock +
+
+ HumanPresence/ForceInstantWake +
+
+ HumanPresence/ForceLockTimeout +
+
+ ### InternetExplorer policies
@@ -8551,6 +8573,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice +
+
+ Storage/WPDDevicesDenyReadAccessPerUser +
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice +
+
+ Storage/WPDDevicesDenyWriteAccessPerUser +
### System policies diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 2fdd8c06c8..532d154577 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -20,6 +20,9 @@ manager: dansimp ## ApplicationManagement policies
+
+ ApplicationManagement/AllowAutomaticAppArchiving +
ApplicationManagement/AllowAllTrustedApps
@@ -65,6 +68,62 @@ manager: dansimp
+
+ + +**ApplicationManagement/AllowAutomaticAppArchiving** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This policy setting controls whether the system can archive infrequently used apps. + +- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. + +- If you disable this policy setting, then the system will not archive any apps. + +If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. + + + +ADMX Info: +- GP Friendly name: *Allow all trusted apps to install* +- GP name: *AllowAutomaticAppArchiving* +- GP path: *Windows Components/App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +The following list shows the supported values: + +- 0 - Explicit disable. +- 1 - Explicit enable. +- 65535 (default) - Not configured. + + + +
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 78fee5443a..7344f3ddf4 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -39,6 +39,9 @@ manager: dansimp
Authentication/ConfigureWebSignInAllowedUrls
+
+ Authentication/ConfigureWebcamAccessDomainNames +
Authentication/EnableFastFirstSignIn
@@ -307,6 +310,55 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". + + + + + + + + + + + + +
+ + +**Authentication/ConfigureWebcamAccessDomainNames** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios. + +Web Sign-in is only supported on Azure AD Joined PCs. + +**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com". + + diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 758e8a4502..2168317903 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -28,6 +28,9 @@ manager: dansimp
DeviceLock/AllowSimpleDevicePassword
+
+ DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +
DeviceLock/AlphanumericDevicePasswordRequired
@@ -149,9 +152,49 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th > This policy must be wrapped in an Atomic command. - For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + + +The following list shows the supported values: + +- 0 (default) – Blocked +- 1 – Allowed + + + + +
+ + +**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md new file mode 100644 index 0000000000..4a50535a07 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -0,0 +1,83 @@ +--- +title: Policy CSP - EAP +description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - EAP + + +
+ + +## EAP policies + +
+
+ EAP/AllowTLS1_3 +
+
+ + +
+ + +**EAP/AllowTLS1_3** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication. + + + +ADMX Info: +- GP Friendly name: *AllowTLS1_3* +- GP name: *AllowTLS1_3* +- GP path: *Windows Components/EAP* +- GP ADMX file name: *EAP.admx* + + + +The following list shows the supported values: +- 0 – Use of TLS version 1.3 is not allowed for authentication. + +- 1 (default) – Use of TLS version 1.3 is allowed for authentication. + + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md new file mode 100644 index 0000000000..9ce283864c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -0,0 +1,190 @@ +--- +title: Policy CSP - HumanPresence +description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - HumanPresence + + + +
+ + +## HumanPresence policies + +
+
+ HumanPresence/ForceInstantLock +
+
+ HumanPresence/ForceInstantWake +
+
+ HumanPresence/ForceLockTimeout +
+
+ + +
+ + +**HumanPresence/ForceInstantLock** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether the device can lock when a human presence sensor detects a human. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceInstantLock* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + +
+ + +**HumanPresence/ForceInstantWake** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether the device can lock when a human presence sensor detects a human. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceInstantWake* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + +
+ + +**HumanPresence/ForceLockTimeout** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies at what distance the sensor wakes up when it sees a human in seconds. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceLockTimeout* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +Integer value that specifies whether the device can lock when a human presence sensor detects a human. + +The following list shows the supported values: + +- 120 = 120 seconds +- 30 = 30 seconds +- 10 = 10 seconds +- 0 = DefaultToUserChoice +- Defaults to 0 + + + +
+ + + diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 0ef2c8dfbd..417c2b7bb8 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -14,14 +14,16 @@ manager: dansimp # Policy CSP - Power - -
+ ## Power policies
+
+ Power/AllowHibernate +
Power/AllowStandbyStatesWhenSleepingOnBattery
@@ -98,6 +100,71 @@ manager: dansimp > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
+ + +**Power/AllowHibernate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoYes
BusinessNoYes
EnterpriseNoYes
EducationNoYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + +ADMX Info: +- GP Friendly name: *Decides if hibernate on the machine is allowed or not* +- GP name: *AllowHibernate* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md new file mode 100644 index 0000000000..19de9949ac --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -0,0 +1,264 @@ +--- +title: Policy CSP - RemoteDesktop +description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - RemoteDesktop + +
+ + +## RemoteDesktop policies + +
+
+ RemoteDesktop/AutoSubscription +
+
+ RemoteDesktop/LoadAadCredKeyFromProfile +
+
+ +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +**RemoteDesktop/AutoSubscription<** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + + +ADMX Info: +- GP Friendly name: *Customize warning messages* +- GP name: *AutoSubscription* +- GP path: *System/Remote Desktop* +- GP ADMX file name: *remotedesktop.admx* + + + + +
+ + +**RemoteDesktop/LoadAadCredKeyFromProfile** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. + +If you enable this policy setting, log files are generated. + +If you disable this policy setting, log files are not generated. + +If you do not configure this setting, application-based settings are used. + + + + +ADMX Info: +- GP Friendly name: *Turn on session logging* +- GP name: *RA_Logging* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +
+ + +**RemoteAssistance/SolicitedRemoteAssistance** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. + +If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. + +If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." + +The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. + +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. + +If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + + + + +ADMX Info: +- GP Friendly name: *Configure Solicited Remote Assistance* +- GP name: *RA_Solicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +
+ + +**RemoteAssistance/UnsolicitedRemoteAssistance** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. + +To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: + +`\` or + +`\` + +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. + +Windows Vista and later + +Enable the Remote Assistance exception for the domain profile. The exception must contain: +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe + +Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe + +For computers running Windows Server 2003 with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + + + + +ADMX Info: +- GP Friendly name: *Configure Offer Remote Assistance* +- GP name: *RA_Unsolicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + +
+ + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 3542a2ac74..4c50234b0c 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -24,6 +24,9 @@ manager: dansimp
Search/AllowCloudSearch
+
+ Search/AllowCortanaInAAD +
Search/AllowFindMyFiles
@@ -115,6 +118,7 @@ The following list shows the supported values:
+**Search/AllowCortanaInAAD** @@ -137,6 +141,30 @@ The following list shows the supported values:
+ + +This policy allows the cortana opt-in page during windows setup out of the box experience. + + + +ADMX Info: +- GP English name: *Allow Cloud Search* +- GP name: *AllowCortanaInAAD* +- GP element: *AllowCloudSearch_Dropdown* +- GP path: *Windows Components/Search* +- GP ADMX file name: *Search.admx* + + + + +This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. + + + + + +
+ **Search/AllowFindMyFiles** diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index edbab49c18..64815bafdc 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -48,6 +48,18 @@ manager: dansimp
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice +
+
+ Storage/WPDDevicesDenyReadAccessPerUser +
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice +
+
+ Storage/WPDDevicesDenyWriteAccessPerUser +
@@ -566,5 +578,252 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
+ +**Storage/WPDDevicesDenyReadAccessPerDevice** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + +If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- Enabled +- Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyReadAccessPerUser** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + +If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- Enabled +- Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_1* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyWriteAccessPerDevice** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + +If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- Enabled +- Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyWriteAccessPerUser** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + +If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- Enabled +- Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_1* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 18b041249a..36e1d8215a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 11/29/2021 +ms.date: 01/10/2022 ms.reviewer: manager: dansimp ms.collection: highpri @@ -427,7 +427,7 @@ ADMX Info: The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. - 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index e81cb17f06..8b642d0a06 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -699,6 +699,8 @@ items: href: policy-csp-display.md - name: DmaGuard href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md - name: Education href: policy-csp-education.md - name: EnterpriseCloudPrint @@ -719,6 +721,8 @@ items: href: policy-csp-games.md - name: Handwriting href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md - name: InternetExplorer href: policy-csp-internetexplorer.md - name: Kerberos