From 81090affab904c05f7e8547e71644cb6aca17819 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 24 Nov 2021 16:53:32 +0530 Subject: [PATCH 01/26] Updated policy-csp-storage with missing policy entries Added: - -- Storage/WPDDevicesDenyReadAccessPerDevice Storage/WPDDevicesDenyReadAccessPerUser Storage/WPDDevicesDenyWriteAccessPerDevice Storage/WPDDevicesDenyWriteAccessPerUser --- .../policy-configuration-service-provider.md | 12 + .../mdm/policy-csp-storage.md | 379 +++++++++++++++++- 2 files changed, 379 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bbd3101f94..f43673ae62 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8293,6 +8293,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice +
+
+ Storage/WPDDevicesDenyReadAccessPerUser +
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice +
+
+ Storage/WPDDevicesDenyWriteAccessPerUser +
### System policies diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index d470d7977b..7c441baca0 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -48,6 +48,18 @@ manager: dansimp
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice +
+
+ Storage/WPDDevicesDenyReadAccessPerUser +
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice +
+
+ Storage/WPDDevicesDenyWriteAccessPerUser +
@@ -139,8 +151,8 @@ The following list shows the supported values: Home - - + No + No Pro @@ -218,8 +230,8 @@ ADMX Info: Home - - + No + No Pro @@ -300,8 +312,8 @@ ADMX Info: Home - - + No + No Pro @@ -382,8 +394,8 @@ ADMX Info: Home - - + No + No Pro @@ -464,8 +476,8 @@ ADMX Info: Home - - + No + No Pro @@ -552,8 +564,8 @@ ADMX Info: Home - - + No + No Pro @@ -782,5 +794,348 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
+ +**Storage/WPDDevicesDenyReadAccessPerDevice** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyReadAccessPerUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_1* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyWriteAccessPerDevice** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyWriteAccessPerUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
From aa235ef9ef42e6fa7216a75c16dec08bde0cd0b2 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 24 Nov 2021 17:05:05 +0530 Subject: [PATCH 02/26] fix --- .../mdm/policy-csp-storage.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 7c441baca0..cdf3d508a1 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -857,10 +857,10 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. -Supported values for this policy are: -- Not configured -- 1-Enabled -- 0-Disabled +Supported values for this policy are: +- Not configured +- Enabled +- Disabled @@ -945,8 +945,8 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j Supported values for this policy are: - Not configured -- 1-Enabled -- 0-Disabled +- Enabled +- Disabled @@ -1031,8 +1031,8 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j Supported values for this policy are: - Not configured -- 1-Enabled -- 0-Disabled +- Enabled +- Disabled @@ -1117,8 +1117,8 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j Supported values for this policy are: - Not configured -- 1-Enabled -- 0-Disabled +- Enabled +- Disabled From a434405f888184557819da4da5d76ee1530e8d5b Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 17:38:34 +0530 Subject: [PATCH 03/26] Update policy-csp-search.md --- .../mdm/policy-csp-search.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 8eb0dbe3ea..667994f6ca 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -24,6 +24,9 @@ manager: dansimp
Search/AllowCloudSearch
+
+ Search/AllowCortanaInAAD +
Search/AllowFindMyFiles
@@ -138,6 +141,76 @@ The following list shows the supported values:
+ +**Search/AllowCortanaInAAD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + +ADMX Info: +- GP English name: *Allow Cloud Search* +- GP name: *AllowCortanaInAAD* +- GP element: *AllowCloudSearch_Dropdown* +- GP path: *Windows Components/Search* +- GP ADMX file name: *Search.admx* + + + + +This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. + + + + +
+ From fcc0a6224db041d4a29d540b95ca60fe0c82ef1b Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 24 Nov 2021 18:09:12 +0530 Subject: [PATCH 04/26] correction! --- windows/client-management/mdm/policy-csp-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index cdf3d508a1..318ae0e1ce 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1124,7 +1124,7 @@ Supported values for this policy are: ADMX Info: - GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_2* +- GP name: *WPDDevices_DenyWrite_Access_1* - GP path: *System/Removable Storage Access* - GP ADMX file name: *RemovableStorage.admx* From a4c6bd8998a1d2c2b32439f5d2d5dc2f5a5c8205 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 19:27:49 +0530 Subject: [PATCH 05/26] Update policy-csp-power.md --- .../client-management/mdm/policy-csp-power.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 367d969417..e8b4361743 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -22,6 +22,9 @@ manager: dansimp ## Power policies
+
+ Power/AllowHibernate +
Power/AllowStandbyStatesWhenSleepingOnBattery
@@ -98,6 +101,71 @@ manager: dansimp > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
+ + +**Power/AllowHibernate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + +ADMX Info: +- GP Friendly name: *Decides if hibernate on the machine is allowed or not* +- GP name: *AllowHibernate* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +
From f79ffc90a802bf98d36e7b94f44685f3c9c4a731 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 10 Dec 2021 16:46:16 +0530 Subject: [PATCH 06/26] Updated as per feedback --- windows/client-management/mdm/policy-csp-storage.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 1050e76e25..da73c643b4 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -612,7 +612,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -674,7 +674,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -736,7 +736,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -798,7 +798,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. From 9ea02ae7357144c883767173c6801d4696835136 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:05:18 +0530 Subject: [PATCH 07/26] Update policy-csp-applicationmanagement.md --- .../mdm/policy-csp-applicationmanagement.md | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 2fdd8c06c8..532d154577 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -20,6 +20,9 @@ manager: dansimp ## ApplicationManagement policies
+
+ ApplicationManagement/AllowAutomaticAppArchiving +
ApplicationManagement/AllowAllTrustedApps
@@ -65,6 +68,62 @@ manager: dansimp
+
+ + +**ApplicationManagement/AllowAutomaticAppArchiving** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This policy setting controls whether the system can archive infrequently used apps. + +- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. + +- If you disable this policy setting, then the system will not archive any apps. + +If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. + + + +ADMX Info: +- GP Friendly name: *Allow all trusted apps to install* +- GP name: *AllowAutomaticAppArchiving* +- GP path: *Windows Components/App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +The following list shows the supported values: + +- 0 - Explicit disable. +- 1 - Explicit enable. +- 65535 (default) - Not configured. + + + +
From 509824dd4d99bcd21c9ec585e537657a0a417195 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:20:10 +0530 Subject: [PATCH 08/26] Update policy-csp-authentication.md --- .../mdm/policy-csp-authentication.md | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 78fee5443a..7344f3ddf4 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -39,6 +39,9 @@ manager: dansimp
Authentication/ConfigureWebSignInAllowedUrls
+
+ Authentication/ConfigureWebcamAccessDomainNames +
Authentication/EnableFastFirstSignIn
@@ -307,6 +310,55 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". + + + + + + + + + + + + +
+ + +**Authentication/ConfigureWebcamAccessDomainNames** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios. + +Web Sign-in is only supported on Azure AD Joined PCs. + +**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com". + + From 3c2922e2eb9ddb7414e9cbe883713c7223598af2 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:37:06 +0530 Subject: [PATCH 09/26] Update policy-csp-devicelock.md --- .../mdm/policy-csp-devicelock.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 64a8ef9104..d32b7868bc 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -28,6 +28,9 @@ manager: dansimp
DeviceLock/AllowSimpleDevicePassword
+
+ DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +
DeviceLock/AlphanumericDevicePasswordRequired
@@ -152,6 +155,47 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + + +The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +
+ + +**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + The following list shows the supported values: From 463e8c1645953af6b6b409c4ad8204e100928977 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:50:40 +0530 Subject: [PATCH 10/26] Updated --- .../policy-configuration-service-provider.md | 8 ++ .../client-management/mdm/policy-csp-eap.md | 83 +++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 93 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-eap.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f88a7df806..a8079fdff4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6181,6 +6181,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### EAP policies + +
+
+ EAP/AllowTLS1_3 +
+
+ ### Education policies
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md new file mode 100644 index 0000000000..08c0a773c6 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -0,0 +1,83 @@ +--- +title: Policy CSP - EAP +description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - EAP + + +
+ + +## EAP policies + +
+
+ EAP/AllowTLS1_3 +
+
+ + +
+ + +**EAP/AllowTLS1_3<** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication. + + + +ADMX Info: +- GP Friendly name: *AllowTLS1_3* +- GP name: *AllowTLS1_3* +- GP path: *Windows Components/EAP* +- GP ADMX file name: *EAP.admx* + + + +The following list shows the supported values: +- 0 – Use of TLS version 1.3 is not allowed for authentication. + +- 1 (default) – Use of TLS version 1.3 is allowed for authentication. + + + + +
+ + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 87673ea6e7..e0698232a0 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -701,6 +701,8 @@ items: href: policy-csp-display.md - name: DmaGuard href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md - name: Education href: policy-csp-education.md - name: EnterpriseCloudPrint From 3d578d806a94657b00b9934be9824f57b48a34a8 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 4 Jan 2022 11:41:34 +0530 Subject: [PATCH 11/26] Removed Audit/Warn line. --- windows/client-management/mdm/policy-csp-storage.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index da73c643b4..5d43f8f336 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -612,8 +612,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -674,8 +672,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -736,8 +732,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -798,8 +792,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. From abe2470a1ffba8b4861bbb66f31ee26cb21cae5e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 14:39:49 +0530 Subject: [PATCH 12/26] Updated --- .../policy-configuration-service-provider.md | 14 ++ .../mdm/policy-csp-humanpresence.md | 190 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 206 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-humanpresence.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f88a7df806..0579418cbd 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6371,6 +6371,20 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### HumanPresence policies + +
+
+ HumanPresence/ForceInstantLock +
+
+ HumanPresence/ForceInstantWake +
+
+ HumanPresence/ForceLockTimeout +
+
+ ### InternetExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md new file mode 100644 index 0000000000..f9d5c24842 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -0,0 +1,190 @@ +--- +title: Policy CSP - HumanPresence +description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - HumanPresence + + + +
+ + +## HumanPresence policies + +
+
+ HumanPresence/ForceInstantLock +
+
+ HumanPresence/ForceInstantWake +
+
+ HumanPresence/ForceLockTimeout +
+
+ + +
+ + +**HumanPresence/ForceInstantLock** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether the device can lock when a human presence sensor detects a human. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceInstantLock* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + +
+ + +**HumanPresence/ForceInstantWake** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether the device can lock when a human presence sensor detects a human. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceInstantWake* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + +
+ + +**HumanPresence/ForceLockTimeout** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies at what distance the sensor wakes up when it sees a human in seconds. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceLockTimeout* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +Integer value that specifies whether the device can lock when a human presence sensor detects a human. + +The following list shows the supported values: + +- 120 = 120 seconds +- 30 = 30 seconds +- 10 = 10 seconds +- 0 = DefaultToUserChoice +- Defaults to 0 + + + +
+ + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 87673ea6e7..51ac7ce80f 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -721,6 +721,8 @@ items: href: policy-csp-games.md - name: Handwriting href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md - name: InternetExplorer href: policy-csp-internetexplorer.md - name: Kerberos From 0d604646a85dc74575cb1609e0e7622c84ba23db Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:30:41 +0530 Subject: [PATCH 13/26] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index f9d5c24842..98fafc4e6d 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -46,8 +46,8 @@ manager: dansimp |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
From e669287ba0f3a44ab5bc3c5c11b3d51b319b13ee Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:34:18 +0530 Subject: [PATCH 14/26] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 98fafc4e6d..9ce283864c 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -95,8 +95,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
@@ -144,8 +144,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
From 138fd479d992a3dae186013f3df28b880db1c1fc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:41:22 +0530 Subject: [PATCH 15/26] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 9ce283864c..4a902246b7 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -95,8 +95,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|No|No| +|Education|No|No|
@@ -144,8 +144,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|No|No| +|Education|No|No|
From 0b923c92302e773bd31594ee428f8e579940ea1e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:46:17 +0530 Subject: [PATCH 16/26] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 4a902246b7..9ce283864c 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -95,8 +95,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|No| -|Education|No|No| +|Enterprise|No|Yes| +|Education|No|Yes|
@@ -144,8 +144,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|No| -|Education|No|No| +|Enterprise|No|Yes| +|Education|No|Yes|
From dc2d02c4b0558776ab1ca484eb869f7eabd4e524 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 17:51:09 +0530 Subject: [PATCH 17/26] Update policy-csp-eap.md --- windows/client-management/mdm/policy-csp-eap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 08c0a773c6..4a50535a07 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -30,7 +30,7 @@ manager: dansimp
-**EAP/AllowTLS1_3<** +**EAP/AllowTLS1_3** From 2cee54dd4a417f4358dd836c4e09dc6025fd67de Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 17:53:59 +0530 Subject: [PATCH 18/26] Update policy-csp-devicelock.md --- windows/client-management/mdm/policy-csp-devicelock.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index d32b7868bc..ebd5365b45 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -152,15 +152,14 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th > This policy must be wrapped in an Atomic command. - For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 (default) – Blocked +- 1 – Allowed From df09430ff830a7ed40fc6697f4d031da6a43e6d7 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 19:56:16 +0530 Subject: [PATCH 19/26] Update policy-csp-power.md --- windows/client-management/mdm/policy-csp-power.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index e8b4361743..f42ef230e5 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -120,22 +120,22 @@ manager: dansimp Pro - Yes + No Yes Business - Yes + No Yes Enterprise - Yes + No Yes Education - Yes + No Yes From dc66f44917d8b44b680ec3d1ca3f2bdfc9b25d06 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 20:01:47 +0530 Subject: [PATCH 20/26] Update policy-csp-power.md --- windows/client-management/mdm/policy-csp-power.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index f42ef230e5..7ff6dc2585 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -14,11 +14,10 @@ manager: dansimp # Policy CSP - Power - -
+ ## Power policies
From b37498d8e28cb552079306229bc99e7374f18cbf Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 20:04:40 +0530 Subject: [PATCH 21/26] Update policy-csp-power.md --- windows/client-management/mdm/policy-csp-power.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 7ff6dc2585..535d207080 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -103,7 +103,7 @@ manager: dansimp
-**Power/AllowHibernate** +**Power/AllowHibernate** From da207de45741eed0d937f53f001f9757ac27704f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 6 Jan 2022 16:10:30 +0530 Subject: [PATCH 22/26] Updated --- .../mdm/policy-csp-remotedesktop.md | 264 ++++++++++++++++++ .../mdm/policy-csp-search.md | 49 +--- 2 files changed, 266 insertions(+), 47 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-remotedesktop.md diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md new file mode 100644 index 0000000000..e30c9f6ceb --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -0,0 +1,264 @@ +--- +title: Policy CSP - RemoteDesktop +description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - RemoteDesktop + +
+ + +## RemoteDesktop policies + +
+
+ RemoteDesktop/AutoSubscription +
+
+ RemoteDesktop/LoadAadCredKeyFromProfile +
+
+ +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +**RemoteDesktop/AutoSubscription<** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + + +ADMX Info: +- GP Friendly name: *Customize warning messages* +- GP name: *AutoSubscription* +- GP path: *System/Remote Desktop* +- GP ADMX file name: *remotedesktop.admx* + + + + +
+ + +**RemoteAssistance/SessionLogging** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. + +If you enable this policy setting, log files are generated. + +If you disable this policy setting, log files are not generated. + +If you do not configure this setting, application-based settings are used. + + + + +ADMX Info: +- GP Friendly name: *Turn on session logging* +- GP name: *RA_Logging* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +
+ + +**RemoteAssistance/SolicitedRemoteAssistance** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. + +If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. + +If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." + +The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. + +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. + +If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + + + + +ADMX Info: +- GP Friendly name: *Configure Solicited Remote Assistance* +- GP name: *RA_Solicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +
+ + +**RemoteAssistance/UnsolicitedRemoteAssistance** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. + +To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: + +`\` or + +`\` + +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. + +Windows Vista and later + +Enable the Remote Assistance exception for the domain profile. The exception must contain: +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe + +Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe + +For computers running Windows Server 2003 with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + + + + +ADMX Info: +- GP Friendly name: *Configure Offer Remote Assistance* +- GP name: *RA_Unsolicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + +
+ + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 667994f6ca..426be9aa21 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -191,6 +191,7 @@ The following list shows the supported values: +This policy allows the cortana opt-in page during windows setup out of the box experience. @@ -207,57 +208,11 @@ ADMX Info: This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. +
- - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- **Search/AllowFindMyFiles** From b53ee7ceeec4a4c1378b09145cfabe36fbb70ee4 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 6 Jan 2022 16:15:26 +0530 Subject: [PATCH 23/26] Update policy-csp-remotedesktop.md --- windows/client-management/mdm/policy-csp-remotedesktop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index e30c9f6ceb..19de9949ac 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -80,7 +80,7 @@ ADMX Info:
-**RemoteAssistance/SessionLogging** +**RemoteDesktop/LoadAadCredKeyFromProfile** From be94903092daa8b58162b79a7784865d3d23dbe4 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 7 Jan 2022 12:29:23 +0530 Subject: [PATCH 24/26] Updated with windows version as per feedback --- windows/client-management/mdm/policy-csp-storage.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 5d43f8f336..31bf31a9f9 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -610,6 +610,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] @@ -670,6 +672,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] @@ -730,6 +734,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] @@ -790,6 +796,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] From e04e0b5048948ef4ec7f8f1bb3fd39ea183a8efd Mon Sep 17 00:00:00 2001 From: Jacob Scott <49541449+mrjacobascott@users.noreply.github.com> Date: Fri, 7 Jan 2022 07:56:06 -0600 Subject: [PATCH 25/26] Removing duplicated text within a sentence The same sentence looked to be copied/pasted within itself by accident --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 18b041249a..c58336a73f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -427,7 +427,7 @@ ADMX Info: The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. - 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. From 0b98840be99b915a5076310a8daff7af7fcbb338 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 10 Jan 2022 10:50:23 -0800 Subject: [PATCH 26/26] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index c58336a73f..36e1d8215a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 11/29/2021 +ms.date: 01/10/2022 ms.reviewer: manager: dansimp ms.collection: highpri